CVE-2018-7307
Auth0-js bypasses CSRF checks
8.8
HIGH
CVSS 3.1
EPSS 0.20%
Description
The Auth0.js library has a vulnerability affecting versions below 9.3 that allows an attacker to bypass the CSRF check from the state parameter if it's missing from the authorization response, leaving the client vulnerable to CSRF attacks.
How to fix CVE-2018-7307
To remediate CVE-2018-7307, upgrade the affected package to a fixed version below.
- npm/auth0-js—upgrade to 9.3.0 or later
Is CVE-2018-7307 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 9.3.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.8 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |