A recently disclosed critical security vulnerability in the Open Authorization (OAuth) implementation of the application development framework Expo.io has been assigned the CVE identifier CVE-2023-28131 and given a severity rating of 9.6 on the CVSS scoring system. API security firm Salt Labs warned that the issue could be exploited to leak credentials, which could then be used to hijack accounts and access sensitive data. If configured for single sign-on (SSO) using a third-party provider such as Google or Facebook, an attacker could send the secret token associated with the sign-in provider to an actor-controlled domain and use it to take control of the victim’s account. Expo released a hotfix within hours of the responsible disclosure on February 18, 2023 and recommends users migrate from using AuthSession API proxies to directly registering deep link URL schemes with third-party authentication providers. This follows the discovery of a path traversal and an SQL injection flaw (CVE-2023-28438) in the Pimcore enterprise content management system by Swiss cybersecurity company Sonar, and an unauthenticated, stored cross-site scripting vulnerability impacting LibreNMS versions 22.10.0 and prior.
Source: Hackernews
To mitigate potential threats, it is important to implement additional cybersecurity measures with the help of a trusted partner like INFRA www.infrascan.net or you can try your self using check.website.