CVE-2024-34065

CVSS v3.1

7.1

High

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N

Name of the Vulnerable Software and Affected Versions @strapi/plugin-users-permissions versions prior to 4.24.2

Description The issue arises from combining two vulnerabilities in @strapi/plugin-users-permissions: an Open Redirect and a session token sent as a URL query parameter. This allows an unauthenticated attacker to bypass authentication mechanisms and retrieve third-party tokens. The attack requires user interaction, specifically one click. By exploiting these vulnerabilities, attackers can leverage them to obtain a third-party token and bypass the authentication of Strapi apps.

Technical details:

API Endpoints: The vulnerable endpoint is /api/connect/microsoft, where the callback parameter can be manipulated.
Vulnerable Parameters or Variables: The callback parameter in the URL query is vulnerable, allowing an attacker to redirect users to an arbitrary external domain.
Function Names: The callback function in the auth.js file is involved in the vulnerability.

Recommendations

Upgrade @strapi/plugin-users-permissions to version 4.24.2 to receive a patch.
As a temporary workaround, consider restricting access to the /api/connect/microsoft endpoint to minimize the risk of exploitation.
Avoid using the callback parameter in the affected API endpoint until the issue is resolved.

Exploit

Fix

Open Redirect

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-294CWE-601

Related Identifiers

CVE-2024-34065

GHSA-WRVH-RCMR-9QFC

Affected Products

@Strapi/Plugin-Users-Permissions

CVE-2024-34065

Weakness Enumeration

Related Identifiers

Affected Products

References · 9