Vulnerability Description
A cross-origin vulnerability has been discovered in the Auth0 auth0.js library affecting versions < 8.12. This vulnerability allows an attacker to acquire authenticated users' tokens and invoke services on a user's behalf if the target site or application uses a popup callback page with auth0.popup.callback().
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Auth0 | Auth0.Js | < 8.12 |
Related Weaknesses (CWE)
References
- https://appcheck-ng.com/appcheck-discovers-vulnerability-auth0-library-cve-2017-ExploitIssue TrackingThird Party Advisory
- https://auth0.com/docs/security/bulletins/cve-2017-17068Issue TrackingVendor Advisory
- https://appcheck-ng.com/appcheck-discovers-vulnerability-auth0-library-cve-2017-ExploitIssue TrackingThird Party Advisory
- https://auth0.com/docs/security/bulletins/cve-2017-17068Issue TrackingVendor Advisory
FAQ
What is CVE-2017-17068?
CVE-2017-17068 is a vulnerability with a CVSS score of 7.5 (HIGH). A cross-origin vulnerability has been discovered in the Auth0 auth0.js library affecting versions < 8.12. This vulnerability allows an attacker to acquire authenticated users' tokens and invoke servic...
How severe is CVE-2017-17068?
CVE-2017-17068 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-17068?
Check the references section above for vendor advisories and patch information. Affected products include: Auth0 Auth0.Js.