Tamjidrahat

**Name of the Vulnerable Software and Affected Versions** oauth2-server (aka node-oauth2-server) versions 3.1.1 and earlier **Description** The issue arises from an incorrect URI pattern (`[a-zA-Z][a-zA-Z0-9+.-]+:`) used to check the `redirect uri` parameter during authorization and token requests. This flaw allows a malicious client to inject an XSS payload through the `redirect uri` parameter, potentially leading to security breaches. **Recommendations** For versions 3.1.1 and earlier, update to a version later than 3.1.1 to resolve the issue. As a temporary workaround, consider validating the `redirect uri` parameter against a correct URI pattern to prevent malicious redirects.

Name of the Vulnerable Software and Affected Versions: oauth2-server (aka node-oauth2-server) versions 3.1.1 and earlier Description: The issue is related to the implementation of OAuth 2.0 without PKCE, which does not prevent authorization code injection. This is similar to a previously known issue. The vendor has stated that they do not consider this a vulnerability with the library itself, as the relevant RFC is an extension. Recommendations: For versions 3.1.1 and earlier, consider implementing PKCE to prevent authorization code injection as a mitigation measure. At the moment, there is no information about a newer version that contains a fix for this vulnerability.