CVE-2023-28131

CRITICAL Year: 2023
CVSS v3 Score
9.6
Critical
Weakness Type
CWE-522
View all →

Vulnerability Description

A vulnerability in the expo.io framework allows an attacker to take over accounts and steal credentials on an application/website that configured the "Expo AuthSession Redirect Proxy" for social sign-in. This can be achieved once a victim clicks a malicious link. The link itself may be sent to the victim in various ways (including email, text message, an attacker-controlled website, etc).

Related Vulnerabilities

CVE-2000-0944

CRITICAL
CVSS:9.8(Critical)

CGI Script Center News Update 1.1 does not properly validate the original news administration password during a password change operation, which allows remote attackers to modify the password without ...

CWE-5222000

CVE-2005-3435

CRITICAL
CVSS:9.8(Critical)

admin_news.php in Archilles Newsworld up to 1.3.0 allows attackers to bypass authentication by obtaining the password hash for another user, for example through another Newsworld vulnerability, and sp...

CWE-5222005

CVE-2007-0681

CRITICAL
CVSS:9.8(Critical)

profile.php in ExtCalendar 2 and earlier allows remote attackers to change the passwords of arbitrary users without providing the original password, and possibly perform other unauthorized actions, vi...

CWE-5222007

CVE-2013-7052

CRITICAL
CVSS:9.8(Critical)

D-Link DIR-100 4.03B07: security bypass via an error in the cliget.cgi script

CWE-5222013

CVE-2013-7055

CRITICAL
CVSS:9.8(Critical)

D-Link DIR-100 4.03B07 has PPTP and poe information disclosure

CWE-5222013

CVE-2014-3445

CRITICAL
CVSS:9.8(Critical)

backup.php in HandsomeWeb SOS Webpages before 1.1.12 does not require knowledge of the cleartext password, which allows remote attackers to bypass authentication by leveraging knowledge of the adminis...

CWE-5222014