Manics

**Name of the Vulnerable Software and Affected Versions** oauthenticator versions prior to 16.3.0 **Description** The issue is related to the `GoogleOAuthenticator.hosted domain` parameter, which is intended to restrict access to Google accounts that are part of one or more Google organizations verified to control specified domain(s). However, prior to version 16.3.0, the actual restriction was to Google accounts with emails ending with the domain, allowing accounts created by anyone who could read an email associated with the domain to access the system. This was described by Dylan Ayrey in a blog post from 15th December 2023. OAuthenticator 16.3.0 contains a patch for this issue. **Recommendations** For versions prior to 16.3.0, upgrade to oauthenticator version 16.3.0 or later. As a temporary workaround, restrict who can login another way, such as using `allowed users` or `allowed google groups`.