CVE-2024-56329

Dec. 20, 2024, 8:15 p.m.

None
No Score

Description

Socialstream is a third-party package for Laravel Jetstream. It replaces the published authentication and profile scaffolding provided by Laravel Jetstream, with scaffolding that has support for Laravel Socialite. When linking a social account to an already authenticated user, the lack of a confirmation step introduces a security risk. This is exacerbated if ->stateless() is used in the Socialite configuration, bypassing state verification and making the exploit easier. Developers should ensure that users explicitly confirm account linking and avoid configurations that skip critical security checks. Socialstream v6.2 introduces a new custom route that requires a user to "Confirm" or "Deny" a request to link a social account. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Product(s) Impacted

Product Versions
Laravel Jetstream Socialstream Package
  • 6.2

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-287
Improper Authentication
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

References

https://github.com/joelbutcher/socialstream/commit/ae4dc3906f54fa792b296036d7b3dcea9a4d259b
https://github.com/joelbutcher/socialstream/security/advisories/GHSA-3q97-vjpp-c8rp

Tags

security-advisories@github.com
CWE-287
2024-12-20
CVE-2024-56329

Timeline

Published: Dec. 20, 2024, 8:15 p.m.
Last Modified: Dec. 20, 2024, 8:15 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.