@strapi/plugin-users-permissions leaks 3rd party authentication tokens and authentication bypass

Severity:: High

Description

By combining two vulnerabilities (an Open Redirect and session token sent as URL query parameter) in Strapi framework is its possible of an unauthenticated attacker to bypass authentication mechanisms and retrieve the 3rd party tokens. The attack requires user interaction (one click).

Recommendation

Update the @strapi/plugin-users-permissions package to the latest compatible version. Followings are version details:

Affected version(s): < 4.24.2
Patched version(s): 4.24.2

References

GHSA-wrvh-rcmr-9qfc
CVE-2024-34065
CWE-294
CWE-601
CAPEC-310
OWASP 2021-A1
OWASP 2021-A6
OWASP 2021-A7

Related Issues

Authentication Bypass in @strapi/plugin-users-permissions - Vulnerability
Strapi plugins vulnerable to Server-Side Template Injection and Remote Code Execution in the Users-Permissions Plugin - CVE-2023-22621
Strapi plugins vulnerable to Server-Side Template Injection and Remote Code Execution in the Users-Permissions Plugin (GHSA-2h87-4q2w-v4hf) - CVE-2023-22621
@strapi/plugin-content-manager leaks data via relations via the Admin Panel - CVE-2024-29181

Tags:: npm; @strapi/plugin-users-permissions

Anything's wrong? Let us know Last updated on November 20, 2024