Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXdwcTctcThqNC03Mmpn
Auth0-js bypasses CSRF checks
The Auth0.js library has a vulnerability affecting versions below 9.3 that allows an attacker to bypass the CSRF check from the state parameter if it's missing from the authorization response, leaving the client vulnerable to CSRF attacks.
Permalink: https://github.com/advisories/GHSA-wpq7-q8j4-72jgJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXdwcTctcThqNC03Mmpn
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 7 years ago
Updated: almost 2 years ago
CVSS Score: 8.8
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Percentage: 0.0008
EPSS Percentile: 0.35858
Identifiers: GHSA-wpq7-q8j4-72jg, CVE-2018-7307
References:
- https://nvd.nist.gov/vuln/detail/CVE-2018-7307
- https://auth0.com/docs/security/bulletins/cve-2018-7307
- https://github.com/advisories/GHSA-wpq7-q8j4-72jg
Affected Packages
npm:auth0-js
Dependent packages: 286Dependent repositories: 15,041
Downloads: 723,335 last month
Affected Version Ranges: < 9.3.0
Fixed in: 9.3.0
All affected versions: 0.1.5, 0.1.6, 0.1.7, 0.1.8, 0.2.0, 0.2.1, 0.2.2, 1.0.0, 1.1.0, 1.1.1, 1.2.0, 1.2.2, 1.3.0, 1.3.1, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.3.7, 1.3.8, 1.3.10, 1.3.12, 1.4.3, 1.5.2, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.6.5, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.0.10, 2.0.11, 2.0.12, 2.0.13, 2.0.14, 2.0.15, 2.0.17, 2.0.18, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8, 2.1.9, 2.1.10, 2.3.0, 3.0.0, 3.0.1, 3.0.3, 3.1.0, 3.2.1, 3.2.2, 3.2.3, 4.0.0, 4.0.1, 4.1.0, 4.2.0, 4.2.4, 4.2.5, 4.2.6, 4.2.7, 4.2.8, 4.2.9, 4.2.10, 4.2.11, 4.3.0, 5.0.0, 5.0.1, 5.1.0, 5.1.1, 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.4.0, 5.5.0, 5.5.1, 6.0.2, 6.0.4, 6.0.5, 6.0.6, 6.1.0, 6.2.0, 6.3.0, 6.3.1, 6.4.0, 6.4.1, 6.4.2, 6.5.0, 6.5.1, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.7.0, 6.7.1, 6.7.2, 6.7.3, 6.7.4, 6.7.5, 6.7.6, 6.7.7, 6.8.0, 6.8.1, 6.8.2, 6.8.3, 6.8.4, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.1.0, 7.2.0, 7.2.1, 7.3.0, 7.4.0, 7.5.0, 7.6.0, 7.6.1, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.2.0, 8.3.0, 8.4.0, 8.5.0, 8.6.0, 8.6.1, 8.7.0, 8.8.0, 8.9.0, 8.9.1, 8.9.2, 8.9.3, 8.10.0, 8.10.1, 8.11.0, 8.11.1, 8.11.2, 8.11.3, 8.12.0, 8.12.1, 8.12.2, 8.12.3, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.2.0, 9.2.1, 9.2.2, 9.2.3
All unaffected versions: 9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.3.4, 9.4.0, 9.4.1, 9.4.2, 9.5.0, 9.5.1, 9.6.0, 9.6.1, 9.7.0, 9.7.1, 9.7.2, 9.7.3, 9.8.0, 9.8.1, 9.8.2, 9.9.0, 9.9.1, 9.10.0, 9.10.1, 9.10.2, 9.10.3, 9.10.4, 9.11.0, 9.11.1, 9.11.2, 9.11.3, 9.12.0, 9.12.1, 9.12.2, 9.13.0, 9.13.1, 9.13.2, 9.13.3, 9.13.4, 9.14.0, 9.14.1, 9.14.2, 9.14.3, 9.15.0, 9.16.0, 9.16.1, 9.16.2, 9.16.3, 9.16.4, 9.17.0, 9.18.0, 9.18.1, 9.19.0, 9.19.1, 9.19.2, 9.20.0, 9.20.1, 9.20.2, 9.21.0, 9.22.0, 9.22.1, 9.23.0, 9.23.1, 9.23.2, 9.23.3, 9.24.0, 9.24.1, 9.25.0, 9.26.0, 9.26.1, 9.27.0, 9.28.0