CSRF Vulnerability in Auth0 Authentication Service
CVE-2018-6874

8.8HIGH

Key Information:

Vendor: Auth0
Status: Auth0.js
Vendor: CVE Published:; 4 April 2018

What is CVE-2018-6874?

A Cross-Site Request Forgery (CSRF) vulnerability exists in the Auth0 authentication service when the Legacy Lock API feature is enabled. This flaw may allow attackers to perform unauthorized actions on behalf of authenticated users without their consent, compromising the security of user sessions. It is crucial for users and developers utilizing the affected versions of the Auth0 service to implement appropriate security measures and disable the Legacy Lock API if not needed. For more guidance, refer to the official security bulletin.

References

https://auth0.com/docs/security/bulletins/cve-2018-6874

x_refsource_MISC

http://www.securityfocus.com/bid/103695

vdb-entryx_refsource_BID

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 4, 2018
Vulnerability Reserved
Feb 9, 2018

CVE-2018-6874 Data

JSON