PT-2020-18354 · Auth0 · Auth0.Js
Marcinhoppe
·
Published
2020-04-09
·
Updated
2020-04-10
·
CVE-2020-5263
CVSS v3.1
5.5
Medium
| Vector | AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
auth0.js versions 8.0.0 through 9.12.3
auth0.js versions 8.0.0 through 9.13.1
Description
In the case of an authentication error, the error object returned by the library contains the original request of the user, which may include the plaintext password the user entered. If the error object is exposed or logged without modification, the application risks password exposure.
Recommendations
For versions 8.0.0 through 9.12.3, upgrade to version 9.12.3 or later.
For versions 8.0.0 through 9.13.1, upgrade to version 9.13.2 or later.
As a temporary workaround, consider not storing the error object or displaying it publicly without modification to minimize the risk of password exposure.
Fix
Insufficiently Protected Credentials
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Auth0.Js