E1024X

Name of the Vulnerable Software and Affected Versions ZLMediaKit (affected versions not specified) Description The software is a streaming media service framework. The VP9 RTP payload parser in `ext-codec/VP9Rtp.cpp` improperly handles RTP payloads, specifically failing to verify sufficient data exists in the buffer before reading multiple fields based on flag bits in the first byte. A crafted VP9 RTP packet with a 1-byte payload can trigger a heap-buffer-overflow due to reading past the end of the allocated buffer. Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Tinyauth versions prior to 5.0.3 **Description** Tinyauth is an authentication and authorization server. The OIDC token endpoint does not verify that the client exchanging an authorization code is the same client to which the code was originally issued. This allows a malicious OIDC client operator to exchange another client's authorization code using their own credentials, potentially obtaining tokens for users who did not authorize their application. This violates RFC 6749 Section 4.1.3. The issue occurs during token exchange at the `/api/oidc/token` endpoint, where the `ClientID` stored with the authorization code is not compared against the requesting client's ID (`creds.ClientID`). The vulnerable parameter is the `code` parameter in the token exchange request. **Recommendations** Update Tinyauth to version 5.0.3 or later.

**Name of the Vulnerable Software and Affected Versions** Tinyauth versions prior to 5.0.3 **Description** Tinyauth is an authentication and authorization server. The OIDC authorization endpoint allows users with a TOTP-pending session (password verified, TOTP not yet completed) to obtain authorization codes. An attacker who knows a user's password but not their TOTP secret can obtain valid OIDC tokens, completely bypassing the second factor. The issue occurs because the OIDC authorize handler does not check if a user is fully logged in or if TOTP is pending, unlike the proxy controller which correctly blocks incomplete sessions. Specifically, the handler proceeds to issue an authorization code using the username from the incomplete session. This allows an attacker to exchange the code for tokens, gaining access without completing TOTP authentication. The vulnerability affects all downstream applications relying on tinyauth’s OIDC provider for authentication. **Recommendations** Update Tinyauth to version 5.0.3 or later.