CVE-2023-28131
Discription

A vulnerability in the expo.io framework allows an attacker to take over accounts and steal credentials on an application/website that configured the “Expo AuthSession Redirect Proxy” for social sign-in. This can be achieved once a victim clicks a malicious link. The link itself may be sent to the victim in various ways (including email, text message, an attacker-controlled website, etc).Read More

References

https://blog.expo.dev/security-advisory-for-developers-using-authsessions-useproxy-options-and-auth-expo-io-e470fe9346dfhttps://www.darkreading.com/endpoint/oauth-flaw-in-expo-platform-affects-hundreds-of-third-party-sites-apps

6.8 Medium

CVSS2

  • Access Vector
  • Access Complexity
  • Authentication
  • Confidentiality Impact
  • Integrity Impact
  • Availability Impact
  • Network
  • Medium
  • None
  • Partial
  • Partial
  • Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

9.6 Critical

CVSS3

  • Attack Vector
  • Attack Complexity
  • Privileges Required
  • User Interaction
  • Scope
  • Confidentiality Impact
  • Integrity Impact
  • Availability Impact
  • Network
  • Low
  • None
  • Required
  • Changed
  • High
  • High
  • High

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Back to Main
Subscribe for the latest news: