4 matches found
@gadgetinc/auth (>=0.1.0 <=0.4.0), clubeeo-core (>=0.6.0 <=0.6.12) +1 more potentially affected by CVE-2023-31999 +1 more via @fastify/oauth2 (>=5.1.0 <=6.1.0)
@fastify/oauth2 NPM version =5.1.0, =0.1.0, =0.6.0, =3.0.0-beta.0, =3.0.0-beta.31 Source cves: CVE-2023-31999, CVE-2023-35935 Source advisory: OSV:GHSA-G8X5-P9QC-CF95...
CVE-2023-31999
creationtimestamp| type| source ---|---|--- 2023-07-04 20:39:35+00:00| seen| https://t.me/cibsecurity/65940...
CVE-2023-31999
CVE-2023-31999 affects all versions of @fastify/oauth2 due to a statically generated OAuth2 state parameter at startup, reused across requests for all users and sessions. This CSRF flaw could enable forged requests. The issue was addressed in v7.2.0, which switches to per-user state stored in a c...
CVE-2023-35935
REJECT DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2023-31999. Reason: This candidate is a reservation duplicate of CVE-2023-31999. Notes: All CVE users should reference CVE-2023-31999 instead of this candidate. All references and descriptions in this candidate have been removed to prevent...