Homepage

@strapi/plugin-users-permissions@0.0.0-next.f0f36e3df4b18f167036dcbca529dcb933bf4e1d

Protect your API with a full-authentication process based on JWT

  • latest version

    5.46.0

  • latest non vulnerable version

    5.46.0

  • first published

    4 years ago

  • latest version published

    2 days ago

  • View plugin-users-permissions package health on Snyk  (opens in a new tab)
    • Go back to all versions of this package
    Report a new vulnerability Found a mistake?

    Direct Vulnerabilities

    Known vulnerabilities in the @strapi/plugin-users-permissions package. This does not include vulnerabilities belonging to this package’s dependencies.

    Fix vulnerabilities automatically

    Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

    Fix for free
    VulnerabilityVulnerable Version
    • M
    Insufficient Session Expiration

    @strapi/plugin-users-permissions is a headless CMS

    Affected versions of this package are vulnerable to Insufficient Session Expiration in the password reset or change operation. An attacker can maintain unauthorized access by continuing to use a previously obtained refresh token to generate new access tokens, even after the legitimate user resets their password.

    Note: This is only exploitable if a password reset or change occurs without supplying a deviceId parameter.

    How to fix Insufficient Session Expiration?

    Upgrade @strapi/plugin-users-permissions to version 5.33.3 or higher.

    <5.33.3
    • M
    Brute Force

    @strapi/plugin-users-permissions is a headless CMS

    Affected versions of this package are vulnerable to Brute Force via the rate-limiting middleware. An attacker can bypass intended request throttling by manipulating the email field in the request body to generate unique rate-limit keys for each request, enabling high-volume brute-force or credential-stuffing attempts.

    How to fix Brute Force?

    Upgrade @strapi/plugin-users-permissions to version 5.45.0 or higher.

    <5.45.0
    • M
    Open Redirect

    @strapi/plugin-users-permissions is a headless CMS

    Affected versions of this package are vulnerable to Open Redirect when user-controllable data is incorporated into the target of a redirection in an unsafe way. In this specific context, this vulnerability allows the SSO token to be stolen, allowing an attacker to authenticate himself within the application.

    Notes:

    If parameter $_GET["callback"] is defined in the GET request, the assignment does not evaluate all conditions, but stops at the beginning.

    The value is then stored in the cookie koa.sess:

    koa.sess=eyJncmFudCI6eyJwcm92aWRlciI6Im1pY3Jvc29mdCIsImR5bmFtaWMiOnsiY2FsbGJhY2siOiJodHRwczovL2FkbWluLmludGUubmV0YXRtby5jb20vdXNlcnMvYXV0aC9yZWRpcmVjdCJ9fSwiX2V4cGlyZSI6MTcwMTI3NTY1MjEyMywiX21heEFnZSI6ODY0MDAwMDB9

    Which once base64 decoded become {"grant":{"provider":"microsoft","dynamic":{"callback":"https://<TARGET>/users/auth/redirect"}},"_expire":1701275652123,"_maxAge":86400000}.

    The signature of the cookie is stored in cookie koa.sess.sig: koa.sess.sig=wTRmcVRrn88hWMdg84VvSD87-_0

    How to fix Open Redirect?

    Upgrade @strapi/plugin-users-permissions to version 4.24.2 or higher.

    <4.24.2
    • H
    Denial of Service (DoS)

    @strapi/plugin-users-permissions is a headless CMS

    Affected versions of this package are vulnerable to Denial of Service (DoS) such that an attacker can circumvent the rate limit on the login function of Strapi's admin screen.

    How to fix Denial of Service (DoS)?

    Upgrade @strapi/plugin-users-permissions to version 4.12.1 or higher.

    <4.12.1
    Go back to all versions of this package