Home > Vulnerability Database > CVE-2024-34065

Mend.io Vulnerability Database

CVE-2024-34065

Good to know:

Date: June 12, 2024

Strapi is an open-source content management system. By combining two vulnerabilities (an "Open Redirect" and "session token sent as URL query parameter") in @strapi/plugin-users-permissions before version 4.24.2, is its possible of an unauthenticated attacker to bypass authentication mechanisms and retrieve the 3rd party tokens. The attack requires user interaction (one click). Unauthenticated attackers can leverage two vulnerabilities to obtain an 3rd party token and the bypass authentication of Strapi apps. Users should upgrade @strapi/plugin-users-permissions to version 4.24.2 to receive a patch.

Language: JS

Severity Score

7.1

Related Resources (5)

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-34065

Url: https://github.com/strapi/strapi/commit/9c79921d22142a5de77ea26151550a14e4b12669

Url: https://github.com/strapi/strapi/security/advisories/GHSA-wrvh-rcmr-9qfc

Url: https://github.com/strapi/strapi

Url: https://www.mend.io/vulnerability-database/CVE-2024-34065

Severity Score

7.1

Weakness Type (CWE)

URL Redirection to Untrusted Site ('Open Redirect')

CWE-601

Authentication Bypass by Capture-replay

CWE-294

Top Fix

Upgrade Version

Upgrade to version @strapi/plugin-users-permissions - 4.24.2

Learn More

CVSS v3.1

Base Score:	7.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-34065

Good to know:

Date: June 12, 2024

Language: JS

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?