Description
A maliciously crafted claim may be incorrectly authenticated by the bot. Impacts bots that are not configured to be used as a Skill. This vulnerability requires an attacker to have internal knowledge of the bot.
Recommendation
Update the botframework-connector package to the latest compatible version. Followings are version details:
Affected version(s): **>= 4.10.0, < 4.10.3 >= 4.9.0, < 4.9.4 = 4.8.0 >= 4.7.0, < 4.7.3** Patched version(s): **4.10.3 4.9.4 4.8.1 4.7.3**
References
- GHSA-fvcj-hvfw-7f2v
- aka.ms
- www.npmjs.com
- portal.msrc.microsoft.com
- CVE-2021-1725
- CWE-200
- CWE-287
- CAPEC-310
- OWASP 2021-A1
- OWASP 2021-A6
- OWASP 2021-A7
Related Issues
- MrSwitch hello.js vulnerable to prototype pollution - CVE-2021-26505
- Improper Input Validation in sanitize-html (GHSA-mjxr-4v3x-q3m4) - CVE-2021-26540
- Improper Neutralization of Input in Theia console - CVE-2021-28161
- materialize-css vulnerable to cross-site Scripting (XSS) due to improper escape of user input - CVE-2022-25349
- Tags:
- npm
- botframework-connector
Anything's wrong? Let us know Last updated on January 11, 2024