CVE-2024-56329

Name of the Vulnerable Software and Affected Versions Socialstream versions prior to 6.2

Description The issue arises when linking a social account to an already authenticated user, as there is a lack of a confirmation step, introducing a security risk. This risk is increased if ->stateless() is used in the Socialite configuration, bypassing state verification. To mitigate this, developers should ensure users explicitly confirm account linking and avoid configurations that skip critical security checks. Socialstream v6.2 introduces a new custom route requiring users to "Confirm" or "Deny" a request to link a social account.

Recommendations For versions prior to 6.2, upgrade to Socialstream v6.2 to introduce a confirmation step for linking social accounts, enhancing security measures. As a temporary workaround, consider implementing a manual confirmation process for social account linking until the upgrade is possible. Restrict access to configurations that use ->stateless() in the Socialite configuration to minimize the risk of exploitation. Avoid using configurations that bypass state verification until the issue is resolved.