GHSA-wpq7-q8j4-72jg

Source

https://github.com/advisories/GHSA-wpq7-q8j4-72jg

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/03/GHSA-wpq7-q8j4-72jg/GHSA-wpq7-q8j4-72jg.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-wpq7-q8j4-72jg

Aliases

CVE-2018-7307

Published

2018-03-07T22:22:24Z

Modified

2023-11-08T04:00:22.558635Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Auth0-js bypasses CSRF checks

Details

The Auth0.js library has a vulnerability affecting versions below 9.3 that allows an attacker to bypass the CSRF check from the state parameter if it's missing from the authorization response, leaving the client vulnerable to CSRF attacks.

Database specific

{
    "nvd_published_at": null,
    "github_reviewed_at": "2020-06-16T22:00:53Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-352"
    ]
}

References

Affected packages

npm / auth0-js

Package

Name: auth0-js; View open source insights on deps.dev
Purl: pkg:npm/auth0-js

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

9.3.0