{"id":"GHSA-4rg6-fm25-gc34","summary":"oauth2-server through 3.1.1 vulnerable to Open Redirect","details":"In oauth2-server (aka node-oauth2-server) through 3.1.1, the value of the `redirect_uri` parameter received during the authorization and token request is checked against an incorrect URI pattern (`[a-zA-Z][a-zA-Z0-9+.-]+:`) before making a redirection. This allows a malicious client to pass an XSS payload through the redirect_uri parameter while making an authorization request. NOTE: this vulnerability is similar to CVE-2020-7741.","aliases":["CVE-2020-26938"],"modified":"2023-11-08T04:03:20.585885Z","published":"2022-08-30T00:00:26Z","database_specific":{"github_reviewed":true,"severity":"HIGH","nvd_published_at":"2022-08-29T21:15:00Z","github_reviewed_at":"2022-09-16T19:36:13Z","cwe_ids":["CWE-601"]},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-26938"},{"type":"WEB","url":"https://github.com/oauthjs/node-oauth2-server/issues/637"},{"type":"PACKAGE","url":"https://github.com/oauthjs/node-oauth2-server"},{"type":"WEB","url":"https://github.com/oauthjs/node-oauth2-server/blob/91d2cbe70a0eddc53d72def96864e2de0fd41703/lib/grant-types/authorization-code-grant-type.js#L143"},{"type":"WEB","url":"https://github.com/oauthjs/node-oauth2-server/blob/91d2cbe70a0eddc53d72def96864e2de0fd41703/lib/validator/is.js#L12"},{"type":"WEB","url":"https://tools.ietf.org/html/rfc3986#section-3"},{"type":"WEB","url":"https://tools.ietf.org/html/rfc6749#section-3.1.2"}],"affected":[{"package":{"name":"oauth2-server","ecosystem":"npm","purl":"pkg:npm/oauth2-server"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"last_affected":"3.1.1"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/08/GHSA-4rg6-fm25-gc34/GHSA-4rg6-fm25-gc34.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"}]}