Back

CVE-2024-34065

June 12, 2024, 3:15 p.m.

Received
CVE has been recently published to the CVE List and has been received by the NVD.

Products

@strapi/plugin-users-permissions

  • before 4.24.2

Source

security-advisories@github.com

Tags

security-advisories@github.com
2024-06-12
CVE-2024-34065
CWE-294

CVE-2024-34065 details

Published : June 12, 2024, 3:15 p.m.
Last Modified : June 12, 2024, 3:15 p.m.

Description

Strapi is an open-source content management system. By combining two vulnerabilities (an `Open Redirect` and `session token sent as URL query parameter`) in @strapi/plugin-users-permissions before version 4.24.2, is its possible of an unauthenticated attacker to bypass authentication mechanisms and retrieve the 3rd party tokens. The attack requires user interaction (one click). Unauthenticated attackers can leverage two vulnerabilities to obtain an 3rd party token and the bypass authentication of Strapi apps. Users should upgrade @strapi/plugin-users-permissions to version 4.24.2 to receive a patch.

CVSS Score

1 2 3 4 5 6 7.1 8 9 10

Weakness

Weakness Name Description

CVSS Data

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

NONE

Base Score

7.1

Exploitability Score

Impact Score

Base Severity

HIGH

Vector String : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N

References

URL Source
https://github.com/strapi/strapi/security/advisories/GHSA-wrvh-rcmr-9qfc security-advisories@github.com
This website uses the NVD API, but is not approved or certified by it.