sensiolabs/connect has a Cross-Site Request Forgery Vulnerability

Versions of sensiolabs/connect prior to 4.2.3 are affected by a Cross-Site Request Forgery (CSRF) vulnerability due to the absence of the state parameter in OAuth requests. The lack of proper state parameter handling exposes applications to CSRF attacks during the OAuth authentication flow.

Published: May 21, 2024
Updated: Jun 27, 2024
GHSA: GHSA-6wqp-7g94-f69j
Severity: Medium
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWEs:

CWE-352

Affected Software
References

Software	From	Fixed in
sensiolabs / connect	-	4.2.3

https://github.com/FriendsOfPHP/security-advisories/blob/master/sensiolabs/connect/2018-06-08-1.yaml
https://github.com/sensiolabs/connect/pull/63
https://github.com/symfonycorp/connect/commit/9522aa774e8a0f8a61e709d828e6cc34c4c1e703

Vulnerability Database

289,697

sensiolabs/connect has a Cross-Site Request Forgery Vulnerability