Description
A maliciously crafted claim may be incorrectly authenticated by the bot. Impacts bots that are not configured to be used as a Skill. This vulnerability requires an attacker to have internal knowledge of the bot.
Recommendation
Update the botframework-connector package to the latest compatible version. Followings are version details:
Affected version(s): **>= 4.10.0, < 4.10.3 >= 4.9.0, < 4.9.4 = 4.8.0 >= 4.7.0, < 4.7.3** Patched version(s): **4.10.3 4.9.4 4.8.1 4.7.3**
References
- GHSA-fvcj-hvfw-7f2v
- aka.ms
- www.npmjs.com
- portal.msrc.microsoft.com
- CVE-2021-1725
- CWE-200
- CWE-287
- CAPEC-310
- OWASP 2021-A1
- OWASP 2021-A6
- OWASP 2021-A7
Related Issues
- Prebid-universal-creative latest on npm briefly compromised - CVE-2025-59039
- Potential XSS vulnerability in jQuery (GHSA-gxr4-xjj5-5px2) - CVE-2020-11022
- Joplin Cross Site Scripting Vulnerability via NOSCRIPT tags - CVE-2021-33295
- Joplin Vulnerable to Cross-site Scripting in Note Content - CVE-2018-1000534
- Tags:
- npm
- botframework-connector
Anything's wrong? Let us know Last updated on January 11, 2024