GHSA-6wqp-7g94-f69j: sensiolabs/connect has a Cross-Site Request Forgery Vulnerability

May 21, 2024

Versions of sensiolabs/connect prior to 4.2.3 are affected by a Cross-Site Request Forgery (CSRF) vulnerability due to the absence of the state parameter in OAuth requests. The lack of proper state parameter handling exposes applications to CSRF attacks during the OAuth authentication flow.

References

github.com/FriendsOfPHP/security-advisories/blob/master/sensiolabs/connect/2018-06-08-1.yaml
github.com/advisories/GHSA-6wqp-7g94-f69j
github.com/sensiolabs/connect/pull/63
github.com/symfonycorp/connect
github.com/symfonycorp/connect/commit/9522aa774e8a0f8a61e709d828e6cc34c4c1e703

Detect and mitigate GHSA-6wqp-7g94-f69j with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →