PT-2017-14695 · Auth0 · Auth0.Js
Appcheckng
·
Published
2017-12-06
·
Updated
2021-04-28
·
CVE-2017-17068
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Auth0 auth0.js library versions prior to 8.12
Description
A cross-origin issue has been discovered in the Auth0 auth0.js library. This issue allows an attacker to acquire authenticated users' tokens and invoke services on a user's behalf if the target site or application uses a popup callback page with
auth0.popup.callback().Recommendations
For versions prior to 8.12, update to version 8.12 or later to resolve the issue. As a temporary workaround, consider avoiding the use of
auth0.popup.callback() for popup callback pages until the update is applied.Exploit
Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Auth0.Js