Description
A cross-origin vulnerability has been discovered in the Auth0 auth0.js library affecting versions < 8.12. This vulnerability allows an attacker to acquire authenticated users’ tokens and invoke services on a user’s behalf if the target site or application uses a popup callback page with auth0.popup.callback().
Recommendation
Update the auth0-js package to the latest compatible version. Followings are version details:
- Affected version(s): < 8.12.0
- Patched version(s): 8.12.0
References
Related Issues
- rendertron LFI vulnerability - CVE-2017-18354
- debug Inefficient Regular Expression Complexity vulnerability - CVE-2017-20165
- Cross-Site Request Forgery (CSRF) in Auth0 - CVE-2018-6874
- rendertron XSS vulnerability - CVE-2017-18352
- Tags:
- npm
- auth0-js
Anything's wrong? Let us know Last updated on September 13, 2023