CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
|
Description: Summary
PKCE was implemented in the OAuth implementation in workers-oauth-provider that is part of MCP framework. However, it was found that an attacker could cause the check to be skipped.
Impact
Under certain circumstances (see below), if a victim had previously authorized with a server built on workers-oath-provider, and an attacker could later trick the victim into visiting a malicious web site, then attacker could potentially steal the victim's credentials to the same OAuth server and subsequently impersonate them.
In order for the attack to be possible, the OAuth server's authorized callback must be designed to auto-approve authorizations that appear to come from an OAuth client that the victim has authorized previously. The authorization flow is not implemented by workers-oauth-provider; it is up to the application built on top to decide whether to implement such automatic re-authorization. However, many applications do implement such logic.
Patches
Fixed in: https://github.com/cloudflare/workers-oauth-provider/pull/26
We patched up the vulnerabilities in the latest version, v 0.0.5 of the Workers OAuth provider (https://www.npmjs.com/package/@cloudflare/workers-oauth-provider). You'll need to update your MCP servers to use that version to resolve the vulnerability.
Workarounds
None
Note
It is a basic, well-known requirement that OAuth servers should verify that the redirect URI is among the allowed list for the client, both during the authorization flow and subsequ...
CVSS: MEDIUM (6.0) EPSS Score: 0.01%
May 1st, 2025 (about 2 months ago)
|
CVE-2024-11994 |
Description: APM server logs could contain parts of the document body from a partially failed bulk index request. Depending on the nature of the document, this could disclose sensitive information in APM Server error logs.
CVSS: MEDIUM (5.7) EPSS Score: 0.03%
May 1st, 2025 (about 2 months ago)
|
|
CVE-2024-11390 |
Description: Unrestricted upload of a file with dangerous type in Kibana can lead to arbitrary JavaScript execution in a victim’s browser (XSS) via crafted HTML and JavaScript files.
The attacker must have access to the Synthetics app AND/OR have access to write to the synthetics indices.
CVSS: MEDIUM (5.4) EPSS Score: 0.03% SSVC Exploitation: none
May 1st, 2025 (about 2 months ago)
|
|
CVE-2024-13381 |
Description: The Calculated Fields Form WordPress plugin before 5.2.62 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
CVSS: MEDIUM (4.8) EPSS Score: 0.03%
May 1st, 2025 (about 2 months ago)
|
|
CVE-2024-13845 |
Description: The Gravity Forms WebHooks plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.6.0 via the 'process_feed' method of the GF_Webhooks class This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
CVSS: MEDIUM (5.5) EPSS Score: 0.04%
May 1st, 2025 (about 2 months ago)
|
|
CVE-2025-4144 |
Description: PKCE was implemented in the OAuth implementation in workers-oauth-provider that is part of MCP framework https://github.com/cloudflare/workers-mcp . However, it was found that an attacker could cause the check to be skipped.
Fixed in:
https://github.com/cloudflare/workers-oauth-provider/pull/27 https://github.com/cloudflare/workers-oauth-provider/pull/27
Impact:
PKCE is a defense-in-depth mechanism against certain kinds of attacks and was an optional extension in OAuth 2.0 which became required in the OAuth 2.1 draft. (Note that the MCP specification requires OAuth 2.1.). This bug completely bypasses PKCE protection.
CVSS: MEDIUM (5.3) EPSS Score: 0.05%
May 1st, 2025 (about 2 months ago)
|
|
CVE-2024-30146 |
Description: Improper access control of endpoint in HCL Domino Leap
allows certain admin users to import applications from the
server's filesystem.
CVSS: MEDIUM (4.1) EPSS Score: 0.04%
April 30th, 2025 (about 2 months ago)
|
|
CVE-2024-30145 |
Description: Multiple vectors in HCL Domino Volt and Domino Leap allow client-side
script injection in the authoring environment and deployed applications.
CVSS: MEDIUM (6.5) EPSS Score: 0.03%
April 30th, 2025 (about 2 months ago)
|
|
CVE-2024-30115 |
Description: Insufficient sanitization policy in HCL Leap
allows client-side script injection in the deployed application through the
HTML widget.
CVSS: MEDIUM (6.3) EPSS Score: 0.03%
April 30th, 2025 (about 2 months ago)
|
|
CVE-2025-24132 |
Description: The issue was addressed with improved memory handling. This issue is fixed in AirPlay audio SDK 2.7.1, AirPlay video SDK 3.6.0.126, CarPlay Communication Plug-in R18.1. An attacker on the local network may cause an unexpected app termination.
CVSS: MEDIUM (6.5) EPSS Score: 0.01%
April 30th, 2025 (about 2 months ago)
|