Skip to content

Steam Socialite Provider v1 does not correctly validate openid server

Critical severity GitHub Reviewed Published Jan 29, 2021 in SocialiteProviders/Steam • Updated Jan 9, 2023

Package

composer socialiteproviders/steam (Composer)

Affected versions

< 1.1

Patched versions

3.0

Description

Impact

The outdated version 1 of the Steam Socialite Provider doesn't check properly if the login comes from steamcommunity.com, allowing a malicious actor to substitute their own openID server.

Patches

This vulnerability only affects the outdated v1.x versions of the package. These are no longer maintained, users should upgrade to v3 or v4, which use a hardcoded endpoint to verify the login.

For more information

If you have any questions or comments about this advisory:

References

@atymic atymic published to SocialiteProviders/Steam Jan 29, 2021
Reviewed Jan 29, 2021
Published to the GitHub Advisory Database Jan 29, 2021
Last updated Jan 9, 2023

Severity

Critical

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-hhw9-35p2-q2c5

Source code

No known source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.