Skip to content

sensiolabs/connect has a Cross-Site Request Forgery Vulnerability

Moderate severity GitHub Reviewed Published May 21, 2024 to the GitHub Advisory Database • Updated May 21, 2024

Package

composer sensiolabs/connect (Composer)

Affected versions

< 4.2.3

Patched versions

4.2.3

Description

Versions of sensiolabs/connect prior to 4.2.3 are affected by a Cross-Site Request Forgery (CSRF) vulnerability due to the absence of the state parameter in OAuth requests. The lack of proper state parameter handling exposes applications to CSRF attacks during the OAuth authentication flow.

References

Published to the GitHub Advisory Database May 21, 2024
Reviewed May 21, 2024
Last updated May 21, 2024

Severity

Moderate
6.1
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-6wqp-7g94-f69j

Source code

Checking history
See something to contribute? Suggest improvements for this vulnerability.