Auth0-js bypasses CSRF checks

GHSA-wpq7-q8j4-72jg · CVE-2018-7307

Published Mar 7, 2018 · Modified Nov 8, 2023

Description

The Auth0.js library has a vulnerability affecting versions below 9.3 that allows an attacker to bypass the CSRF check from the state parameter if it's missing from the authorization response, leaving the client vulnerable to CSRF attacks.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2018-7307
WEB https://auth0.com/docs/security/bulletins/cve-2018-7307
ADVISORY https://github.com/advisories/GHSA-wpq7-q8j4-72jg

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes