Steam Socialite Provider v1 does not correctly validate openid server
Critical severity
GitHub Reviewed
Published
Jan 29, 2021
in
SocialiteProviders/Steam
•
Updated Jan 9, 2023
Description
Reviewed
Jan 29, 2021
Published to the GitHub Advisory Database
Jan 29, 2021
Last updated
Jan 9, 2023
Impact
The outdated version 1 of the Steam Socialite Provider doesn't check properly if the login comes from
steamcommunity.com
, allowing a malicious actor to substitute their own openID server.Patches
This vulnerability only affects the outdated v1.x versions of the package. These are no longer maintained, users should upgrade to v3 or v4, which use a hardcoded endpoint to verify the login.
For more information
If you have any questions or comments about this advisory:
References