CVE-2020-26877

Name of the Vulnerable Software and Affected Versions ApiFest OAuth 2.0 Server version 0.3.1

Description The issue concerns the failure to validate the redirect URI according to RFC 6749, making the server susceptible to an open redirector attack. An attacker can manipulate the redirect uri parameter to obtain a leaked authorization code when the server redirects the client to the manipulated URI.

Recommendations For ApiFest OAuth 2.0 Server version 0.3.1, consider implementing redirect URI validation to ensure it matches the registered URI of the client initiating the request, as a temporary workaround to prevent open redirector attacks. Restrict access to the authorization code endpoint to minimize the risk of exploitation. Avoid using the redirect uri parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.