Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:npm/%40strapi/plugin-users-permissions@4.6.0

Type npm

Namespace @strapi

Name plugin-users-permissions

Version 4.6.0

Qualifiers

Subpath

Is_vulnerable false

Next_non_vulnerable_version 4.12.1

Latest_non_vulnerable_version 5.45.0

Affected_by_vulnerabilities

Fixing_vulnerabilities

url VCID-1nkk-pvsd-x7dn

vulnerability_id VCID-1nkk-pvsd-x7dn

summary

Improper Authentication
Strapi through 4.5.5 does not verify the access or ID tokens issued during the OAuth flow when the AWS Cognito login provider is used for authentication. A remote attacker could forge an ID token that is signed using the 'None' type algorithm to bypass authentication and impersonate any user that use AWS Cognito for authentication.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2023-22893

reference_id

reference_type

scores

value	0.50773
scoring_system	epss
scoring_elements	0.97907
published_at	2026-06-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2023-22893

reference_url

https://github.com/strapi/strapi

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/strapi/strapi

reference_url

https://github.com/strapi/strapi/blob/v4.5.6/packages/plugins/users-permissions/server/services/providers-registry.js

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/strapi/strapi/blob/v4.5.6/packages/plugins/users-permissions/server/services/providers-registry.js

reference_url

https://github.com/strapi/strapi/commit/46f8f98378338f18b5c6139d0157a8f71bf4de83

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/strapi/strapi/commit/46f8f98378338f18b5c6139d0157a8f71bf4de83

reference_url

https://github.com/strapi/strapi/commit/8bbbd7383a20bb7cb163c8b462baffee559e994f

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/strapi/strapi/commit/8bbbd7383a20bb7cb163c8b462baffee559e994f

reference_url

https://github.com/strapi/strapi/commit/eeab43b57707d7ef275076d27be6eabc72bd71a7

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/strapi/strapi/commit/eeab43b57707d7ef275076d27be6eabc72bd71a7

reference_url

https://github.com/strapi/strapi/releases

reference_id

reference_type

scores

value	8.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-05T16:39:39Z/

url

https://github.com/strapi/strapi/releases

reference_url

https://strapi.io/blog/security-disclosure-of-vulnerabilities-cve

reference_id

reference_type

scores

value	8.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-05T16:39:39Z/

url

https://strapi.io/blog/security-disclosure-of-vulnerabilities-cve

reference_url

https://www.ghostccamm.com/blog/multi_strapi_vulns

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://www.ghostccamm.com/blog/multi_strapi_vulns

reference_url

https://www.ghostccamm.com/blog/multi_strapi_vulns/

reference_id

reference_type

scores

value	8.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-05T16:39:39Z/

url

https://www.ghostccamm.com/blog/multi_strapi_vulns/

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2023-22893

reference_id

CVE-2023-22893

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2023-22893

reference_url	https://github.com/advisories/GHSA-583x-23h9-f5w7
reference_id	GHSA-583x-23h9-f5w7
reference_type
scores
url	https://github.com/advisories/GHSA-583x-23h9-f5w7

fixed_packages

url	pkg:npm/%40strapi/plugin-users-permissions@4.6.0
purl	pkg:npm/%40strapi/plugin-users-permissions@4.6.0
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:npm/%2540strapi/plugin-users-permissions@4.6.0

aliases CVE-2023-22893, GHSA-583x-23h9-f5w7

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-1nkk-pvsd-x7dn

url VCID-crp3-d3de-6uhk

vulnerability_id VCID-crp3-d3de-6uhk

summary

Authentication Bypass in @strapi/plugin-users-permissions
Strapi through 4.5.6 does not verify the access or ID tokens issued during the OAuth flow when the AWS Cognito login provider is used for authentication.

references

reference_url

https://github.com/strapi/strapi

reference_id

reference_type

scores

value	8.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/strapi/strapi

reference_url

https://github.com/strapi/strapi/commit/d0edd25ceb49d275d710bf8d59999a2c07072893

reference_id

reference_type

scores

value	8.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/strapi/strapi/commit/d0edd25ceb49d275d710bf8d59999a2c07072893

reference_url

https://github.com/strapi/strapi/pull/15382

reference_id

reference_type

scores

value	8.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/strapi/strapi/pull/15382

reference_url

https://github.com/strapi/strapi/releases/tag/v4.6.0

reference_id

reference_type

scores

value	8.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/strapi/strapi/releases/tag/v4.6.0

reference_url	https://github.com/advisories/GHSA-xv3q-jrmm-4fxv
reference_id	GHSA-xv3q-jrmm-4fxv
reference_type
scores
url	https://github.com/advisories/GHSA-xv3q-jrmm-4fxv

reference_url

https://github.com/strapi/strapi/security/advisories/GHSA-xv3q-jrmm-4fxv

reference_id

GHSA-xv3q-jrmm-4fxv

reference_type

scores

value	8.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/strapi/strapi/security/advisories/GHSA-xv3q-jrmm-4fxv

fixed_packages

url	pkg:npm/%40strapi/plugin-users-permissions@4.6.0
purl	pkg:npm/%40strapi/plugin-users-permissions@4.6.0
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:npm/%2540strapi/plugin-users-permissions@4.6.0

aliases GHSA-xv3q-jrmm-4fxv, GMS-2023-1157

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-crp3-d3de-6uhk

Risk_score null

Resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540strapi/plugin-users-permissions@4.6.0

Package Instance