Entries by OXID Security Team

Security Bulletin 2015-001

CVE-2015-6926: An attacker can deploy his own OpenID Identity Provider (IdP) issuing valid OpenID authentication tokens (OpenID supports the usage of arbitrary IdPs). The attacker’s IdP can issue tokens containing any email address within the token (this feature is allowed by the OpenID specification).

Security bulletin: 2014-001

CVE-2014-2016: Under certain circumstances, an attacker can trick a user to enter a specially crafted URI or click on a mal-formed link to exploit a cross-site scripting vulnerability that theoretically can be used to gain unauthorized access to a user account or collect sensitive information of this user.

Security bulletin: 2013-001

CVE-2013-5913: Under certain circumstances, an attacker can trick a user to enter a specially crafted URI or click on a mal-formed link to exploit a cross-site scripting vulnerability that theoretically can be used to gain unauthorized access to a user account or collect sensitive information of this user.