Search for packages
| purl | pkg:npm/auth0-js@3.0.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-3jcm-6tna-e7b8
Aliases: CVE-2018-6873 |
Improper Authentication The Auth0 authentication service allows privilege escalation because the JWT audience field is not validated. |
Affected by 5 other vulnerabilities. |
|
VCID-53ug-2gch-bqhr
Aliases: CVE-2017-17068 GHSA-3rpr-mg43-xhq4 |
Information Exposure A cross-origin vulnerability has been discovered in auth0. This vulnerability allows an attacker to acquire authenticated user tokens and invoke services on a user's behalf if the target site or application uses a popup callback page with `auth0.popup.callback().` |
Affected by 4 other vulnerabilities. |
|
VCID-cfu4-873a-rbgv
Aliases: CVE-2018-7307 GHSA-wpq7-q8j4-72jg |
Cross-Site Request Forgery (CSRF) The Auth0 Authjs library has CSRF because it mishandles the case where the authorization response lacks the state parameter. |
Affected by 2 other vulnerabilities. |
|
VCID-edhw-mrxm-u3hy
Aliases: CVE-2018-6874 GHSA-wv26-rj8c-4r33 |
Cross-Site Request Forgery (CSRF) CSRF exists in the Auth0 authentication service when the Legacy Lock API flag is enabled. |
Affected by 4 other vulnerabilities. Affected by 3 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-pjum-jypu-ake2 | Information Exposure Through an Error Message In auth0 (npm package), a DenyList of specific keys that should be sanitized from the request object contained in the error object is used. and you are using a Machine to Machine application authorized to use Auth0's management API. |
CVE-2020-15125
GHSA-5jpf-pj32-xx53 |