GHSA-wpq7-q8j4-72jg

Опубликовано: 07 мар. 2018

Источник: github

Github: Прошло ревью

CVSS3: 8.8

Описание

Auth0-js bypasses CSRF checks

The Auth0.js library has a vulnerability affecting versions below 9.3 that allows an attacker to bypass the CSRF check from the state parameter if it's missing from the authorization response, leaving the client vulnerable to CSRF attacks.

Ссылки

https://nvd.nist.gov/vuln/detail/CVE-2018-7307
https://auth0.com/docs/security/bulletins/cve-2018-7307
https://github.com/advisories/GHSA-wpq7-q8j4-72jg

Пакеты

Наименование

auth0-js

npm

Затронутые версииВерсия исправления

< 9.3.0

9.3.0

EPSS

Процентиль: 42%

0.00203

Низкий

8.8 High

CVSS3

CVE ID

CVE-2018-7307

Дефекты

CWE-352

Связанные уязвимости

CVE-2018-7307

CVSS3: 8.8

nvd

почти 8 лет назад

The Auth0 Auth0.js library before 9.3 has CSRF because it mishandles the case where the authorization response lacks the state parameter.

EPSS

Процентиль: 42%

0.00203

Низкий

8.8 High

CVSS3

CVE ID

CVE-2018-7307

Дефекты

CWE-352