Description
A maliciously crafted claim may be incorrectly authenticated by the bot. Impacts bots that are not configured to be used as a Skill. This vulnerability requires an attacker to have internal knowledge of the bot.
Recommendation
Update the botframework-connector package to the latest compatible version. Followings are version details:
Affected version(s): **>= 4.10.0, < 4.10.3 >= 4.9.0, < 4.9.4 = 4.8.0 >= 4.7.0, < 4.7.3** Patched version(s): **4.10.3 4.9.4 4.8.1 4.7.3**
References
- GHSA-fvcj-hvfw-7f2v
- aka.ms
- www.npmjs.com
- portal.msrc.microsoft.com
- CVE-2021-1725
- CWE-200
- CWE-287
- CAPEC-310
- OWASP 2021-A1
- OWASP 2021-A6
- OWASP 2021-A7
Related Issues
- Improper Neutralization of Input in Theia console - CVE-2021-28161
- materialize-css vulnerable to cross-site Scripting (XSS) due to improper escape of user input - CVE-2022-25349
- URIjs Vulnerable to Hostname spoofing via backslashes in URL - CVE-2021-3647
- jspdf vulnerable to Regular Expression Denial of Service (ReDoS) - CVE-2021-23353
You might also like:
- Tags:
- npm
- botframework-connector
Anything's wrong? Let us know Last updated on January 11, 2024


