Rhertogh

**Name of the Vulnerable Software and Affected Versions** yii2-authclient versions prior to 2.2.15 **Description** The issue concerns a timing attack vulnerability in the Oauth1/2 `state` and OpenID Connect `nonce` due to comparison via regular string comparison instead of using `Yii::$app->getSecurity()->compareString()`. This vulnerability affects the OAuth 1 "state", OAuth 2 "state", and OpenID Connect "nonce". No estimated number of potentially affected devices or real-world incidents are mentioned. **Recommendations** For yii2-authclient versions prior to 2.2.15, update to version 2.2.15 to resolve the issue. As a temporary workaround, consider using `Yii::$app->getSecurity()->compareString()` for comparing the Oauth1/2 `state` and OpenID Connect `nonce` until the official patch is applied.

**Name of the Vulnerable Software and Affected Versions** yii2-authclient versions prior to 2.2.15 **Description** The Oauth2 PKCE implementation in yii2-authclient is vulnerable in two ways. First, the `authCodeVerifier` should be removed after usage, similar to `authState`. Second, there is a risk for a `downgrade attack` if PKCE is being relied on for CSRF protection. **Recommendations** For versions prior to 2.2.15, update to version 2.2.15 to resolve the issue. As a temporary workaround, consider removing the `authCodeVerifier` after usage and avoid relying on PKCE for CSRF protection until a patch is applied.