Impact
A Cross-Site Request Forgery (CSRF) vulnerability existed in the authentication flow. Under certain conditions, the configured CSRF protection could be bypassed, allowing cross-site requests to be made.
You are affected if ALL of these are true:
- Payload version < v3.79.1
serverURL is configured
Patches
This vulnerability has been patched in v3.79.1. Additional validation has been added to the authentication flow.
Users should upgrade to v3.79.1 or later.
Workarounds
There is no complete workaround without upgrading.
If you cannot upgrade immediately, setting cookies.sameSite to 'Strict' will prevent the session cookie from being sent cross-site. However, this will also require users to re-authenticate when navigating to your application from external links (e.g. email, other sites).
Impact
A Cross-Site Request Forgery (CSRF) vulnerability existed in the authentication flow. Under certain conditions, the configured CSRF protection could be bypassed, allowing cross-site requests to be made.
You are affected if ALL of these are true:
serverURLis configuredPatches
This vulnerability has been patched in v3.79.1. Additional validation has been added to the authentication flow.
Users should upgrade to v3.79.1 or later.
Workarounds
There is no complete workaround without upgrading.
If you cannot upgrade immediately, setting
cookies.sameSiteto'Strict'will prevent the session cookie from being sent cross-site. However, this will also require users to re-authenticate when navigating to your application from external links (e.g. email, other sites).