GHSA-6wqp-7g94-f69j – sensiolabs/connect

Package

Manager: composer
Name: sensiolabs/connect
Vulnerable Version: >=0 <4.2.3

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

sensiolabs/connect has a Cross-Site Request Forgery Vulnerability Versions of sensiolabs/connect prior to 4.2.3 are affected by a Cross-Site Request Forgery (CSRF) vulnerability due to the absence of the state parameter in OAuth requests. The lack of proper state parameter handling exposes applications to CSRF attacks during the OAuth authentication flow.

Metadata

Created: 2024-05-21T18:26:46Z
Modified: 2024-05-21T18:26:46Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-6wqp-7g94-f69j/GHSA-6wqp-7g94-f69j.json
CWE IDs: ["CWE-352"]
Alternative ID: N/A
Finding: F007
Auto approve: 1