Security
Headlines
HeadlinesLatestCVEs

Tag

#oauth

CVE-2023-22341: myF5

On version 14.1.x before 14.1.5.3, and all versions of 13.1.x, when the BIG-IP APM system is configured with all the following elements, undisclosed requests may cause the Traffic Management Microkernel (TMM) to terminate: * An OAuth Server that references an OAuth Provider * An OAuth profile with the Authorization Endpoint set to '/' * An access profile that references the above OAuth profile and is associated with an HTTPS virtual server Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

CVE
#oauth#auth
Hackers Abused Microsoft's "Verified Publisher" OAuth Apps to Hack Corporate Email Accounts

Microsoft on Tuesday said it took steps to disable fake Microsoft Partner Network (MPN) accounts that were used for creating malicious OAuth applications as part of a malicious campaign designed to breach organizations' cloud environments and steal email. "The applications created by these fraudulent actors were then used in a consent phishing campaign, which tricked users into granting

GitHub Reports Code-Signing Certificate Theft in Security Breach

By Deeba Ahmed GitHub states that hackers gained access to its code repositories and stole code-signing certificates for two of its desktop apps: Desktop and Atom. This is a post from HackRead.com Read the original post: GitHub Reports Code-Signing Certificate Theft in Security Breach

Phishers Trick Microsoft Into Granting Them 'Verified' Cloud Partner Status

Everyone on Twitter wants a blue check mark. But Microsoft Azure's blue badges are even more valuable to a threat actor stealing your data via malicious OAuth apps.

Microsoft Investigation – Threat actor consent phishing campaign abusing the verified publisher process

Summary On December 15th, 2022, Microsoft became aware of a consent phishing campaign involving threat actors fraudulently impersonating legitimate companies when enrolling in the Microsoft Cloud Partner Program (MCPP) (formerly known as Microsoft Partner Network (MPN)). The actor used fraudulent partner accounts to add a verified publisher to OAuth app registrations they created in Azure … Microsoft Investigation – Threat actor consent phishing campaign abusing the verified publisher process Read More »

Microsoft Investigation - Threat actor consent phishing campaign abusing the verified publisher process

Summary Summary On December 15th, 2022, Microsoft became aware of a consent phishing campaign involving threat actors fraudulently impersonating legitimate companies when enrolling in the Microsoft Cloud Partner Program (MCPP) (formerly known as Microsoft Partner Network (MPN)). The actor used fraudulent partner accounts to add a verified publisher to OAuth app registrations they created in Azure AD.

Microsoft Investigation - Threat actor consent phishing campaign abusing the verified publisher process

Summary Summary On December 15th, 2022, Microsoft became aware of a consent phishing campaign involving threat actors fraudulently impersonating legitimate companies when enrolling in the Microsoft Cloud Partner Program (MCPP) (formerly known as Microsoft Partner Network (MPN)). The actor used fraudulent partner accounts to add a verified publisher to OAuth app registrations they created in Azure AD.

GHSA-685j-36qx-3vp2: Cross-site request forgery vulnerability in Jenkins Bitbucket OAuth Plugin

A cross-site request forgery (CSRF) vulnerability in Jenkins Bitbucket OAuth Plugin 0.12 and earlier allows attackers to trick users into logging in to the attacker's account.

GHSA-x9q4-qwfh-9gjq: Session fixation vulnerability in Jenkins Bitbucket OAuth Plugin

Jenkins Bitbucket OAuth Plugin 0.12 and earlier does not invalidate the previous session on login.

CVE-2023-24435: Jenkins Security Advisory 2023-01-24

A missing permission check in Jenkins GitHub Pull Request Builder Plugin 1.42.2 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.