GHSA-3q97-vjpp-c8rp

Source

https://github.com/advisories/GHSA-3q97-vjpp-c8rp

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-3q97-vjpp-c8rp/GHSA-3q97-vjpp-c8rp.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-3q97-vjpp-c8rp

Aliases

CVE-2024-56329

Published

2024-12-20T15:01:20Z

Modified

2024-12-26T17:30:54.887106Z

Severity

8.9 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H CVSS Calculator

Summary

Socialstream has a Potential Account Takeover Vulnerability in Social Account Linking Due to Missing User Consent After OAuth Callback

Details

Description

When linking a social account to an already authenticated user, the lack of a confirmation step introduces a security risk. This is exacerbated if ->stateless() is used in the Socialite configuration, bypassing state verification and making the exploit easier. Developers should ensure that users explicitly confirm account linking and avoid configurations that skip critical security checks.

Resolution

Socialstream v6.2 introduces a new custom route that requires a user to "Confirm" or "Deny" a request to link a social account.

Database specific

{
    "nvd_published_at": "2024-12-20T20:15:23Z",
    "cwe_ids": [
        "CWE-287"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-12-20T15:01:20Z"
}

References

Affected packages

Packagist / joelbutcher/socialstream

Package

Name: joelbutcher/socialstream
Purl: pkg:composer/joelbutcher/socialstream

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.0.0

Fixed

6.2.0

Affected versions

v6.*

v6.0.0

v6.0.1

v6.0.2

v6.0.3

v6.0.4

v6.1.0

v6.1.1

v6.1.2

v6.1.3

v6.1.4

v6.1.5

v6.1.6

v6.1.7

v6.1.8

v6.1.9

v6.1.10

v6.1.11

Packagist / joelbutcher/socialstream

Package

Name: joelbutcher/socialstream
Purl: pkg:composer/joelbutcher/socialstream

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.6.0

Affected versions

v0.*

v0.0.1

v0.0.2

v0.0.3

v0.0.4

v1.*

v1.0.0

v1.0.1

v1.0.2

v1.0.3

v1.0.4

v1.1.0

v1.1.1

v1.1.2

v1.1.3

v1.2.0

v1.2.1

v2.*

v2.0.0

v2.0.1

v2.0.2

v2.0.3

v2.1.0

v2.1.1

v2.2.0

v2.3.0

v2.4.0

v2.4.1

v2.5.0

v2.5.1

v2.6.0

v2.6.1

v3.*

v3.0.0

v3.0.1

v3.0.2

v3.0.3

v3.0.4

v3.1.0

v3.1.1

v3.1.2

v3.1.3

v3.2.0

v3.2.1

v3.2.3

v3.3

v3.4.0

v3.4.1

v3.4.2

v3.5.0

v3.6.0

v3.7.0

v3.7.1

v3.7.2

v3.7.3

v3.7.4

v3.7.5

v3.7.6

v3.8.0

v3.8.1

v3.8.2

v3.8.3

v3.9.0

v3.9.1

v3.9.2

3.*

3.2.2

v4.*

v4.0.0

v4.0.1

v4.0.2

v4.0.3

v4.1.0

v4.1.1

v4.1.2

v4.1.3

v4.2.0

v4.2.1

v4.3.0

v4.4.0

v4.4.1

v4.4.2

v4.4.3

v4.4.4

v4.4.5

v4.4.6

v5.*

v5.0.0-beta1

v5.0.0-beta1.1

v5.0.0

v5.0.1

v5.0.2

v5.0.3

v5.1.0

v5.1.1

v5.1.2

v5.2.0

v5.3.0

v5.3.1

v5.3.2

v5.4.0

v5.4.1

v5.4.2

v5.5.1

v5.5.2

v5.5.3