CVE-2018-15121 – auth0-aspnet

Package

Manager: nuget
Name: auth0-aspnet
Vulnerable Version: >=0 <=2.1.1

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00149 pctl0.36059

Details

Auth0-ASPNET and Auth0-ASPNET-Owin vulnerable to Cross-Site Request Forgery An issue was discovered in Auth0 auth0-aspnet and auth0-aspnet-owin. Affected packages do not use or validate the state parameter of the OAuth 2.0 and OpenID Connect protocols. This leaves applications vulnerable to CSRF attacks during authentication and authorization operations.

Metadata

Created: 2022-05-14T02:01:18Z
Modified: 2023-05-24T14:56:44Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-mmhr-3jr7-qj2p/GHSA-mmhr-3jr7-qj2p.json
CWE IDs: ["CWE-352"]
Alternative ID: GHSA-mmhr-3jr7-qj2p
Finding: F007
Auto approve: 1