CVE-2024-34065: 
JavaScript vulnerability analysis and mitigation

CVE-2024-34065 affects Strapi, an open-source content management system, specifically the @strapi/plugin-users-permissions component before version 4.24.2. The vulnerability combines two security issues: an Open Redirect vulnerability and a session token exposure via URL query parameters. This security flaw was discovered and disclosed on June 12, 2024, allowing unauthenticated attackers to bypass authentication mechanisms and retrieve third-party tokens (GitHub Advisory).

The vulnerability consists of two combined weaknesses: an Open Redirect (CWE-601) and Authentication Bypass by Capture-replay (CWE-294). The issue occurs in the OAuth callback functionality where the application unsafely handles user-controllable data in redirection targets. The vulnerability has received a CVSS v3.1 base score of 8.1 (HIGH) from NIST with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N, while GitHub assessed it at 7.1 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N (NVD).

When exploited, this vulnerability allows unauthenticated attackers to bypass authentication mechanisms and obtain third-party tokens. The attack requires minimal user interaction (one click) and can lead to unauthorized access to Strapi applications. The impact primarily affects confidentiality and integrity of the system, with high potential for unauthorized data access (GitHub Advisory).

Users should upgrade @strapi/plugin-users-permissions to version 4.24.2 or later to receive the security patch. The fix addresses both the Open Redirect vulnerability and the insecure transmission of session tokens via URL parameters (GitHub Advisory).