@strapi/plugin-users-permissions leaks 3rd party authentication tokens and authentication bypass

Severity:: High

Description

By combining two vulnerabilities (an Open Redirect and session token sent as URL query parameter) in Strapi framework is its possible of an unauthenticated attacker to bypass authentication mechanisms and retrieve the 3rd party tokens. The attack requires user interaction (one click).

Recommendation

Update the @strapi/plugin-users-permissions package to the latest compatible version. Followings are version details:

Affected version(s): < 4.24.2
Patched version(s): 4.24.2

References

GHSA-wrvh-rcmr-9qfc
CVE-2024-34065
CWE-294
CWE-601
CAPEC-310
OWASP 2021-A1
OWASP 2021-A6
OWASP 2021-A7

Related Issues

x402 SDK vulnerable in outdated versions in resource servers for builders (GHSA-3j63-5h8p-gf7c) 3 - Vulnerability
Bun has an Application-level Prototype Pollution vulnerability in the runtime native API for Glo - CVE-2024-21548
jQuery UI vulnerable to XSS when refreshing a checkboxradio with an HTML-like initial text label - CVE-2022-31160
Opening a malicious website while running a Nuxt dev server could allow read-only access to code - CVE-2025-24361

Tags:: npm; @strapi/plugin-users-permissions

Anything's wrong? Let us know Last updated on November 20, 2024