Impact
The Dancer2::Plugin::Auth::OAuth::Provider plugin fails to generate an OAuth 2.0 state parameter during the authorization redirect and does not validate that a returned callback originates from a request that the local session initiated. This omission permits a login cross‑site request forgery (CSRF) attack, allowing an attacker to complete their own OAuth authorization on a victim's behalf and associate the victim's session with the attacker's provider identity and access token. The weakness is a classic example of CWE‑352.
Affected Systems
Any application that incorporates BIAFRA's Dancer2::Plugin::Auth::OAuth::Provider version 0.22 or earlier for OAuth 2.0 authentication is vulnerable. Systems using this plugin to link user accounts with external OAuth providers are at risk.
Risk and Exploitability
This issue is exploitable through the standard OAuth 2.0 flow over HTTP. The likely attack vector is a remote attacker directing a victim's browser to the application's authorization endpoint and later delivering a crafted callback that binds the attacker's provider account. Because the CVSS score and EPSS score are not reported, and the KEV status indicates the vulnerability is not listed in CISA’s KEV catalog, the precise risk is uncertain, but the lack of state verification represents a low‑effort attack that can compromise session integrity and allow attackers to masquerade as victims.
OpenCVE Enrichment