4 matches found
VulnCheck KEV: CVE-2023-22893
Strapi through 4.5.5 does not verify the access or ID tokens issued during the OAuth flow when the AWS Cognito login provider is used for authentication. A remote attacker could forge an ID token that is signed using the 'None' type algorithm to bypass authentication and impersonate any user that...
@chargeover/strapi (=0.0.1-rc1.1), @cowprotocol/cms (=0.1.0-rc.5) +27 more potentially affected by CVE-2023-22893 via @strapi/plugin-users-permissions (>=4.0.0-beta.0 <=4.5.1)
@strapi/plugin-users-permissions NPM version =4.0.0-beta.0, =1.0.0-alpha.0, =2.1.0, =1.0.0, =0.1.1, =0.0.1, =0.1.0, =1.0.10, =4.3.15 - robsen-strapi-site =0.1.0 - sneakmax =0.1.0 and more Source cves: CVE-2023-22893 Source advisory: OSV:GHSA-583X-23H9-F5W7...
CVE-2023-22893
Strapi through 4.5.5 does not verify the access or ID tokens issued during the OAuth flow when the AWS Cognito login provider is used for authentication. A remote attacker could forge an ID token that is signed using the 'None' type algorithm to bypass authentication and impersonate any user that...
CVE-2023-22893
Affected software : Strapi (open-source CMS) prior to 4.5.6. Vulnerability : Strapi versions up to 4.5.5/4.5.6-era did not verify access or ID tokens during the OAuth flow when using the AWS Cognito login provider, allowing a remote attacker to forge a token and bypass authentication. Root cause ...