Privilege Escalation

Affecting auth0-js package, versions <8.12

Do your applications use this vulnerable package? Test your applications

Overview

auth0-js is a Client Side Javascript toolkit for Auth0 API.

A cross-origin vulnerability has been discovered in the Auth0 auth0.js library affecting versions < 8.12. This vulnerability allows an attacker to acquire authenticated user's tokens and invoke services on a user's behalf if the target site or application uses a popup callback page with auth0.popup.callback().

References

CVSS Score

5.5
medium severity
  • Attack Vector
    Adjacent
  • Attack Complexity
    Low
  • Privileges Required
    Low
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    Low
  • Availability
    Low
CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Credit
Unknown
CVE
CVE-2017-17068
CWE
CWE-265
Snyk ID
npm:auth0-js:20171204
Disclosed
04 Dec, 2017
Published
07 Dec, 2017