Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0zcTk3LXZqcHAtYzhycM4ABCpo
Socialstream has a Potential Account Takeover Vulnerability in Social Account Linking Due to Missing User Consent After OAuth Callback
Description
When linking a social account to an already authenticated user, the lack of a confirmation step introduces a security risk. This is exacerbated if ->stateless() is used in the Socialite configuration, bypassing state verification and making the exploit easier. Developers should ensure that users explicitly confirm account linking and avoid configurations that skip critical security checks.
Resolution
Socialstream v6.2 introduces a new custom route that requires a user to "Confirm" or "Deny" a request to link a social account.
Permalink: https://github.com/advisories/GHSA-3q97-vjpp-c8rpJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0zcTk3LXZqcHAtYzhycM4ABCpo
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 20 days ago
Updated: 13 days ago
EPSS Percentage: 0.00043
EPSS Percentile: 0.10899
Identifiers: GHSA-3q97-vjpp-c8rp, CVE-2024-56329
References:
- https://github.com/joelbutcher/socialstream/security/advisories/GHSA-3q97-vjpp-c8rp
- https://github.com/joelbutcher/socialstream/commit/ae4dc3906f54fa792b296036d7b3dcea9a4d259b
- https://nvd.nist.gov/vuln/detail/CVE-2024-56329
- https://github.com/advisories/GHSA-3q97-vjpp-c8rp
Blast Radius: 0.0
Affected Packages
packagist:joelbutcher/socialstream
Dependent packages: 5Dependent repositories: 24
Downloads: 298,553 total
Affected Version Ranges: < 5.6.0, >= 6.0.0, < 6.2.0
Fixed in: 5.6.0, 6.2.0
All affected versions: 0.0.1, 0.0.2, 0.0.3, 0.0.4, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.2.0, 1.2.1, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.1.0, 2.1.1, 2.2.0, 2.3.0, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.4.0, 3.4.1, 3.4.2, 3.5.0, 3.6.0, 3.7.0, 3.7.1, 3.7.2, 3.7.3, 3.7.4, 3.7.5, 3.7.6, 3.8.0, 3.8.1, 3.8.2, 3.8.3, 3.9.0, 3.9.1, 3.9.2, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.2.0, 4.2.1, 4.3.0, 4.4.0, 4.4.1, 4.4.2, 4.4.3, 4.4.4, 4.4.5, 4.4.6, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.1.0, 5.1.1, 5.1.2, 5.2.0, 5.3.0, 5.3.1, 5.3.2, 5.4.0, 5.4.1, 5.4.2, 5.5.1, 5.5.2, 5.5.3, 6.0.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.1.0, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11
All unaffected versions: 5.6.0, 6.2.0