Cross-site Request Forgery (CSRF) Affecting django-allauth package, versions [,0.63.3)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Cross-site Request Forgery (CSRF) vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-PYTHON-DJANGOALLAUTH-7413652
- published1 Jul 2024
- disclosed1 Jul 2024
- creditUnknown
Introduced: 1 Jul 2024
CVE NOT AVAILABLE CWE-352 (opens in a new tab)How to fix?
Upgrade django-allauth to version 0.63.3 or higher.
Overview
django-allauth is an integrated set of Django applications addressing authentication, registration, account management as well as 3rd party (social) account authentication.
Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) in the SAML login flow. RelayState was used to keep track of whether or not the login flow was IdP or SP initiated. As RelayState is a separate field, not part of the SAMLResponse payload, it was not signed, allowing the existence of this vulnerability.