PT-2020-21408 — Authentication Bypass by Spoofing in Simon Willison Datasette-Indieauth

PT-2020-21408 · Simon Willison · Datasette-Indieauth

Published

2020-11-24

Updated

2020-11-24

None

No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.

Name of the Vulnerable Software and Affected Versions datasette-indieauth versions prior to 1.1

Description A malicious user can sign in as a user with any IndieAuth identifier due to the implementation not verifying that the final "me" URL value returned by the authorization server belongs to the same domain as the initial value entered by the user.

Recommendations For versions prior to 1.1, upgrade to version 1.1 immediately to resolve the issue.

Authentication Bypass by Spoofing

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-290

Related Identifiers

GHSA-MJCR-RQJG-RHG3

Affected Products

Datasette-Indieauth

PT-2020-21408 · Simon Willison · Datasette-Indieauth

Weakness Enumeration

Related Identifiers

Affected Products

References · 5