Severity: Critical
CVSS Score: 10
### Impact A malicious user can sign in as a user with any IndieAuth identifier. This is because the implementation does not verify that the final `"me"` URL value returned by the authorization server belongs to the same domain as the initial value entered by the user. ### Patches Version 1.1 fixes this issue. ### Workarounds There is no workaround. Upgrade to 1.1 immediately. ### References - [Security Considerations: Differing User Profile URLs](https://indieauth.spec.indieweb.org/#differing-user-profile-urls-li-1) in the IndieAuth specification. ### For more information If you have any questions or comments about this advisory: * Open an issue in [simonw/datasette-indieauth](https://github.com/simonw/datasette-indieauth/issues)