The outdated version 1 of the Steam Socialite Provider doesn't check properly if the login comes from steamcommunity.com
, allowing a malicious actor to substitute their own openID server.
This vulnerability only affects the outdated v1.x versions of the package. These are no longer maintained, users should upgrade to v3 or v4, which use a hardcoded endpoint to verify the login.
If you have any questions or comments about this advisory: * Open an issue in SocialiteProviders/Providers * Email us at socialite@atymic.dev
{ "nvd_published_at": null, "cwe_ids": [ "CWE-346" ], "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2021-01-29T20:39:56Z" }