x/vulndb: potential Go vuln in github.com/h44z/wg-portal: GHSA-2r2v-9pf8-6342

[GoVulnBot]

Advisory GHSA-2r2v-9pf8-6342 references a vulnerability in the following Go modules:

Module
github.com/h44z/wg-portal

Description:

Impact

Users of WireGuard Portal v2 who have OAuth (or OIDC) authentication backends enabled can be affected by an Account Takeover vulnerability if they visit a malicious website.

Patches

The problem was fixed in the latest alpha release, v2.0.0-alpha.3. The docker images for the tag 'latest' built from the master branch also include the fix.

References:

• ADVISORY: GHSA-2r2v-9pf8-6342
• ADVISORY: GHSA-2r2v-9pf8-6342
• FIX: h44z/wg-portal@62dbdfe

No existing reports found with this module or alias.
See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/h44z/wg-portal
      non_go_versions:
        - introduced: 2.0.0-alpha.1
        - fixed: 2.0.0-alpha.3
      vulnerable_at: 1.0.19
summary: WireGuard Portal v2 Vulnerable to OAuth Insecure Redirect URI / Account Takeover in github.com/h44z/wg-portal
ghsas:
    - GHSA-2r2v-9pf8-6342
references:
    - advisory: https://github.com/advisories/GHSA-2r2v-9pf8-6342
    - advisory: https://github.com/h44z/wg-portal/security/advisories/GHSA-2r2v-9pf8-6342
    - fix: https://github.com/h44z/wg-portal/commit/62dbdfe0f96045d46e121d509fc181fbb7936895
source:
    id: GHSA-2r2v-9pf8-6342
    created: 2025-01-07T16:01:58.329093551Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/641495 mentions this issue: data/reports: add 2 unreviewed reports