The AlekSIS® team has found a security issue concerning client-protected OAuth resources. These are API endpoints (URL) protected by an OAuth client ID and secret, and currently in use only in the official app “Resint” for time-based documents.
If an OAuth app without a list of allowed scopes was registered, this app could access all time-based documents, instead of none. To exploit this bug, an attacker would have to get hold of a client ID and secret for an OAuth app without a list of allowed scopes, for example by grabbing such information from a public web application using AlekSIS® for authentication.