CVE-2024-34065

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-34065

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-34065.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-34065

Aliases

GHSA-wrvh-rcmr-9qfc

Related

GHSA-wrvh-rcmr-9qfc

Published

2024-06-12T15:15:51Z

Modified

2025-02-18T19:52:41Z

Severity

8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N CVSS Calculator

Summary

[none]

Details

Strapi is an open-source content management system. By combining two vulnerabilities (an Open Redirect and session token sent as URL query parameter) in @strapi/plugin-users-permissions before version 4.24.2, is its possible of an unauthenticated attacker to bypass authentication mechanisms and retrieve the 3rd party tokens. The attack requires user interaction (one click). Unauthenticated attackers can leverage two vulnerabilities to obtain an 3rd party token and the bypass authentication of Strapi apps. Users should upgrade @strapi/plugin-users-permissions to version 4.24.2 to receive a patch.

References

https://github.com/strapi/strapi/security/advisories/GHSA-wrvh-rcmr-9qfc

Affected packages

Git / github.com/strapi/strapi

Affected ranges

Type: GIT
Repo: https://github.com/strapi/strapi
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

6751512c18d73bad0cb7655bedc3d86995f3c3a8