CVE-2018-7307 – auth0-js

Package

Manager: npm
Name: auth0-js
Vulnerable Version: >=0 <9.3.0

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00214 pctl0.43981

Details

Auth0-js bypasses CSRF checks The Auth0.js library has a vulnerability affecting versions below 9.3 that allows an attacker to bypass the CSRF check from the state parameter if it's missing from the authorization response, leaving the client vulnerable to CSRF attacks.

Metadata

Created: 2018-03-07T22:22:24Z
Modified: 2022-04-25T22:40:41Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/03/GHSA-wpq7-q8j4-72jg/GHSA-wpq7-q8j4-72jg.json
CWE IDs: ["CWE-352"]
Alternative ID: GHSA-wpq7-q8j4-72jg
Finding: F007
Auto approve: 1