Cross-Origin Vulnerability in Auth0.js Library Affecting Auth0
CVE-2017-17068

7.5HIGH

Key Information:

Vendor: Auth0
Status: Auth0.js
Vendor: CVE Published:; 6 December 2017

What is CVE-2017-17068?

A cross-origin vulnerability found in the Auth0.js library impacts versions below 8.12. This critical flaw enables attackers to potentially steal authenticated users' tokens, facilitating unauthorized actions on their behalf. It occurs when applications use a popup callback page via the auth0.popup.callback() method. Organizations using affected versions are urged to implement necessary updates and enhanced security measures to mitigate risks associated with this vulnerability.

References

https://appcheck-ng.com/appcheck-discovers-vulnerability-...

x_refsource_MISC

https://auth0.com/docs/security/bulletins/cve-2017-17068

x_refsource_CONFIRM

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 6, 2017
Vulnerability Reserved
Nov 30, 2017

CVE-2017-17068 Data

JSON