Gianklug

**Name of the Vulnerable Software and Affected Versions** OpenBao versions prior to 2.5.2 **Description** OpenBao, an open source identity-based secrets management system, does not prompt for user confirmation when logging in via JWT/OIDC with a role configured with `callback mode` set to `direct`. This allows an attacker to initiate an authentication request and perform a "remote phishing" attack, automatically logging a victim into the attacker's session upon visiting a crafted URL. The `direct` mode allows an attacker to repeatedly query the API for an OpenBao token until one is issued. **Recommendations** Versions prior to 2.5.2: Upgrade to version 2.5.2 or later, which includes an additional confirmation screen for `direct` type logins requiring manual user interaction. Versions prior to 2.5.2: Remove any roles with `callback mode` set to `direct`. Versions prior to 2.5.2: Enforce confirmation for every session on the token issuer side for the Client ID used by OpenBao.

**Name of the Vulnerable Software and Affected Versions** OpenBao versions prior to 2.5.2 **Description** OpenBao, an open source identity-based secrets management system, is susceptible to Reflected Cross-Site Scripting (XSS) through the `error description` parameter during failed authentication attempts when an OIDC/JWT authentication method is enabled and a role is configured with `callback mode=direct`. This allows an attacker to gain access to the token used in the Web UI by a victim. The issue is addressed by replacing the `error description` parameter with a static error message. The API endpoint involved in the vulnerability is not explicitly mentioned. The vulnerable parameter is `error description`. **Recommendations** Versions prior to 2.5.2 should be updated to version 2.5.2 or later. As a mitigation, remove any roles with `callback mode` set to `direct`.