GHSA-hhw9-35p2-q2c5 – socialiteproviders/steam

Package

Manager: composer
Name: socialiteproviders/steam
Vulnerable Version: >=0 <3.0

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Steam Socialite Provider v1 does not correctly validate openid server ### Impact The outdated version 1 of the Steam Socialite Provider doesn't check properly if the login comes from `steamcommunity.com`, allowing a malicious actor to substitute their own openID server. ### Patches This vulnerability only affects the outdated v1.x versions of the package. These are no longer maintained, users should upgrade to v3 or v4, which use a hardcoded endpoint to verify the login. ### For more information If you have any questions or comments about this advisory: * Open an issue in [SocialiteProviders/Providers](https://github.com/SocialiteProviders/Providers) * Email us at [socialite@atymic.dev](mailto:socialite@atymic.dev)

Metadata

Created: 2021-01-29T20:51:30Z
Modified: 2021-01-29T20:39:56Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/01/GHSA-hhw9-35p2-q2c5/GHSA-hhw9-35p2-q2c5.json
CWE IDs: ["CWE-346"]
Alternative ID: N/A
Finding: F184
Auto approve: 1