Vulnerability Details CVE-2023-28131
A vulnerability in the expo.io framework allows an attacker to take over accounts and steal credentials on an application/website that configured the "Expo AuthSession Redirect Proxy" for social sign-in. This can be achieved once a victim clicks a malicious link. The link itself may be sent to the victim in various ways (including email, text message, an attacker-controlled website, etc).
Exploit prediction scoring system (EPSS) score
EPSS Score 0.01
EPSS Ranking 75.4%
CVSS Severity
CVSS v3 Score 9.6
References
- https://blog.expo.dev/security-advisory-for-developers-using-authsessions-useproxy-options-and-auth-expo-io-e470fe9346df
- https://www.darkreading.com/endpoint/oauth-flaw-in-expo-platform-affects-hundreds-of-third-party-sites-apps
- https://blog.expo.dev/security-advisory-for-developers-using-authsessions-useproxy-options-and-auth-expo-io-e470fe9346df
- https://www.darkreading.com/endpoint/oauth-flaw-in-expo-platform-affects-hundreds-of-third-party-sites-apps
Products affected by CVE-2023-28131
-
cpe:2.3:a:expo:expo_software_development_kit:45.0.0
-
cpe:2.3:a:expo:expo_software_development_kit:46.0.0
-
cpe:2.3:a:expo:expo_software_development_kit:47.0.0