Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS02d3FwLTdnOTQtZjY5as4AA8ac
sensiolabs/connect has a Cross-Site Request Forgery Vulnerability
Versions of sensiolabs/connect prior to 4.2.3 are affected by a Cross-Site Request Forgery (CSRF) vulnerability due to the absence of the state parameter in OAuth requests. The lack of proper state parameter handling exposes applications to CSRF attacks during the OAuth authentication flow.
Permalink: https://github.com/advisories/GHSA-6wqp-7g94-f69jJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02d3FwLTdnOTQtZjY5as4AA8ac
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 9 months ago
Updated: 9 months ago
CVSS Score: 6.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-6wqp-7g94-f69j
References:
- https://github.com/sensiolabs/connect/pull/63
- https://github.com/symfonycorp/connect/commit/9522aa774e8a0f8a61e709d828e6cc34c4c1e703
- https://github.com/FriendsOfPHP/security-advisories/blob/master/sensiolabs/connect/2018-06-08-1.yaml
- https://github.com/advisories/GHSA-6wqp-7g94-f69j
Blast Radius: 7.7
Affected Packages
packagist:sensiolabs/connect
Dependent packages: 3Dependent repositories: 18
Downloads: 25,848 total
Affected Version Ranges: < 4.2.3
Fixed in: 4.2.3
All affected versions: 2.0.0, 2.0.1, 2.0.2, 2.1.0, 3.0.0, 4.0.0, 4.1.0, 4.2.0, 4.2.1, 4.2.2
All unaffected versions: 4.2.3, 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 5.0.0, 5.0.1, 5.0.2, 5.1.0, 5.1.1, 5.1.2, 5.1.3, 5.1.4, 5.1.5, 5.1.6, 6.0.0, 6.0.1, 6.1.0, 6.2.0, 6.2.1, 6.2.2, 6.3.0, 7.0.0, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.3.0, 7.3.1, 7.4.0, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4