Skip to content

WireGuard Portal v2 Vulnerable to OAuth Insecure Redirect URI / Account Takeover

High severity GitHub Reviewed Published Jan 7, 2025 in h44z/wg-portal • Updated Jan 7, 2025

Package

gomod github.com/h44z/wg-portal (Go)

Affected versions

>= 2.0.0-alpha.1, < 2.0.0-alpha.3

Patched versions

2.0.0-alpha.3

Description

Impact

Users of WireGuard Portal v2 who have OAuth (or OIDC) authentication backends enabled can be affected by an Account Takeover vulnerability if they visit a malicious website.

Patches

The problem was fixed in the latest alpha release, v2.0.0-alpha.3. The docker images for the tag 'latest' built from the master branch also include the fix.

References

@h44z h44z published to h44z/wg-portal Jan 7, 2025
Published to the GitHub Advisory Database Jan 7, 2025
Reviewed Jan 7, 2025
Last updated Jan 7, 2025

Severity

High

EPSS score

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-2r2v-9pf8-6342

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.