Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
14 vulnerabilities found for auth0.js by auth0
CVE-2026-42280 (GCVE-0-2026-42280)
Vulnerability from nvd – Published: 2026-05-27 14:39 – Updated: 2026-05-28 15:36
VLAI
Title
Improper Permission Checking in Auth.js SDK
Summary
Auth0.js is a client-side JavaScript library for Auth0. From 8.11.0 to 9.32.0, under specific preconditions, the Auth0.js SDK may improperly return user profile information using a valid access token when a specifically crafted invalid ID token is provided. This vulnerability is fixed in 10.0.0.
Severity
7.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/auth0/auth0.js/security/adviso… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42280",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-28T15:36:47.306227Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T15:36:56.102Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "auth0.js",
"vendor": "auth0",
"versions": [
{
"status": "affected",
"version": "\u003e= 8.11.0 , \u003c= 9.32.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Auth0.js is a client-side JavaScript library for Auth0. From 8.11.0 to 9.32.0, under specific preconditions, the Auth0.js SDK may improperly return user profile information using a valid access token when a specifically crafted invalid ID token is provided. This vulnerability is fixed in 10.0.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T14:39:15.789Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/auth0/auth0.js/security/advisories/GHSA-8qjv-jj2q-x832",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/auth0/auth0.js/security/advisories/GHSA-8qjv-jj2q-x832"
}
],
"source": {
"advisory": "GHSA-8qjv-jj2q-x832",
"discovery": "UNKNOWN"
},
"title": "Improper Permission Checking in Auth.js SDK"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42280",
"datePublished": "2026-05-27T14:39:15.789Z",
"dateReserved": "2026-04-26T11:53:27.717Z",
"dateUpdated": "2026-05-28T15:36:56.102Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2020-15125 (GCVE-0-2020-15125)
Vulnerability from nvd – Published: 2020-07-29 16:25 – Updated: 2024-08-04 13:08
VLAI
Title
Authorization header is not sanitized in an error object in auth0
Summary
In auth0 (npm package) versions before 2.27.1, a DenyList of specific keys that should be sanitized from the request object contained in the error object is used. The key for Authorization header is not sanitized and in certain cases the Authorization header value can be logged exposing a bearer token. You are affected by this vulnerability if you are using the auth0 npm package, and you are using a Machine to Machine application authorized to use Auth0's management API
Severity
7.7 (High)
CWE
- CWE-209 - Generation of Error Message Containing Sensitive Information
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/auth0/node-auth0/security/advi… | x_refsource_CONFIRM |
| https://github.com/auth0/node-auth0/pull/507 | x_refsource_MISC |
| https://github.com/auth0/node-auth0/pull/507/comm… | x_refsource_MISC |
| https://github.com/auth0/node-auth0/tree/v2.27.1 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| auth0 | node-auth0 |
Affected:
< 2.27.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:08:22.304Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/auth0/node-auth0/security/advisories/GHSA-5jpf-pj32-xx53"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/auth0/node-auth0/pull/507"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/auth0/node-auth0/pull/507/commits/62ca61b3348ec8e74d7d00358661af1a8bc98a3c"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/auth0/node-auth0/tree/v2.27.1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "node-auth0",
"vendor": "auth0",
"versions": [
{
"status": "affected",
"version": "\u003c 2.27.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In auth0 (npm package) versions before 2.27.1, a DenyList of specific keys that should be sanitized from the request object contained in the error object is used. The key for Authorization header is not sanitized and in certain cases the Authorization header value can be logged exposing a bearer token. You are affected by this vulnerability if you are using the auth0 npm package, and you are using a Machine to Machine application authorized to use Auth0\u0027s management API"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-209",
"description": "CWE-209: Generation of Error Message Containing Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-29T16:25:15.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/auth0/node-auth0/security/advisories/GHSA-5jpf-pj32-xx53"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/auth0/node-auth0/pull/507"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/auth0/node-auth0/pull/507/commits/62ca61b3348ec8e74d7d00358661af1a8bc98a3c"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/auth0/node-auth0/tree/v2.27.1"
}
],
"source": {
"advisory": "GHSA-5jpf-pj32-xx53",
"discovery": "UNKNOWN"
},
"title": "Authorization header is not sanitized in an error object in auth0",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-15125",
"STATE": "PUBLIC",
"TITLE": "Authorization header is not sanitized in an error object in auth0"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "node-auth0",
"version": {
"version_data": [
{
"version_value": "\u003c 2.27.1"
}
]
}
}
]
},
"vendor_name": "auth0"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In auth0 (npm package) versions before 2.27.1, a DenyList of specific keys that should be sanitized from the request object contained in the error object is used. The key for Authorization header is not sanitized and in certain cases the Authorization header value can be logged exposing a bearer token. You are affected by this vulnerability if you are using the auth0 npm package, and you are using a Machine to Machine application authorized to use Auth0\u0027s management API"
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-209: Generation of Error Message Containing Sensitive Information"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/auth0/node-auth0/security/advisories/GHSA-5jpf-pj32-xx53",
"refsource": "CONFIRM",
"url": "https://github.com/auth0/node-auth0/security/advisories/GHSA-5jpf-pj32-xx53"
},
{
"name": "https://github.com/auth0/node-auth0/pull/507",
"refsource": "MISC",
"url": "https://github.com/auth0/node-auth0/pull/507"
},
{
"name": "https://github.com/auth0/node-auth0/pull/507/commits/62ca61b3348ec8e74d7d00358661af1a8bc98a3c",
"refsource": "MISC",
"url": "https://github.com/auth0/node-auth0/pull/507/commits/62ca61b3348ec8e74d7d00358661af1a8bc98a3c"
},
{
"name": "https://github.com/auth0/node-auth0/tree/v2.27.1",
"refsource": "MISC",
"url": "https://github.com/auth0/node-auth0/tree/v2.27.1"
}
]
},
"source": {
"advisory": "GHSA-5jpf-pj32-xx53",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-15125",
"datePublished": "2020-07-29T16:25:15.000Z",
"dateReserved": "2020-06-25T00:00:00.000Z",
"dateUpdated": "2024-08-04T13:08:22.304Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-5263 (GCVE-0-2020-5263)
Vulnerability from nvd – Published: 2020-04-09 15:50 – Updated: 2024-08-04 08:22
VLAI
Title
Information disclosure through error object
Summary
auth0.js (NPM package auth0-js) greater than version 8.0.0 and before version 9.12.3 has a vulnerability. In the case of an (authentication) error, the error object returned by the library contains the original request of the user, which may include the plaintext password the user entered. If the error object is exposed or logged without modification, the application risks password exposure. This is fixed in version 9.12.3
Severity
5.5 (Medium)
CWE
- CWE-522 - Insufficiently Protected Credentials
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/auth0/auth0.js/security/adviso… | x_refsource_CONFIRM |
| https://github.com/auth0/auth0.js/commit/355ca749… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:22:09.088Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/auth0/auth0.js/security/advisories/GHSA-prfq-f66g-43mp"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/auth0/auth0.js/commit/355ca749b229fb93142f0b3978399b248d710828"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "auth0.js",
"vendor": "auth0",
"versions": [
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 9.12.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "auth0.js (NPM package auth0-js) greater than version 8.0.0 and before version 9.12.3 has a vulnerability. In the case of an (authentication) error, the error object returned by the library contains the original request of the user, which may include the plaintext password the user entered. If the error object is exposed or logged without modification, the application risks password exposure. This is fixed in version 9.12.3"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-522",
"description": "CWE-522: Insufficiently Protected Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-04-09T15:50:12.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/auth0/auth0.js/security/advisories/GHSA-prfq-f66g-43mp"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/auth0/auth0.js/commit/355ca749b229fb93142f0b3978399b248d710828"
}
],
"source": {
"advisory": "GHSA-prfq-f66g-43mp",
"discovery": "UNKNOWN"
},
"title": "Information disclosure through error object",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-5263",
"STATE": "PUBLIC",
"TITLE": "Information disclosure through error object"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "auth0.js",
"version": {
"version_data": [
{
"version_value": "\u003e= 8.0.0, \u003c 9.12.3"
}
]
}
}
]
},
"vendor_name": "auth0"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "auth0.js (NPM package auth0-js) greater than version 8.0.0 and before version 9.12.3 has a vulnerability. In the case of an (authentication) error, the error object returned by the library contains the original request of the user, which may include the plaintext password the user entered. If the error object is exposed or logged without modification, the application risks password exposure. This is fixed in version 9.12.3"
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-522: Insufficiently Protected Credentials"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/auth0/auth0.js/security/advisories/GHSA-prfq-f66g-43mp",
"refsource": "CONFIRM",
"url": "https://github.com/auth0/auth0.js/security/advisories/GHSA-prfq-f66g-43mp"
},
{
"name": "https://github.com/auth0/auth0.js/commit/355ca749b229fb93142f0b3978399b248d710828",
"refsource": "MISC",
"url": "https://github.com/auth0/auth0.js/commit/355ca749b229fb93142f0b3978399b248d710828"
}
]
},
"source": {
"advisory": "GHSA-prfq-f66g-43mp",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-5263",
"datePublished": "2020-04-09T15:50:12.000Z",
"dateReserved": "2020-01-02T00:00:00.000Z",
"dateUpdated": "2024-08-04T08:22:09.088Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-6874 (GCVE-0-2018-6874)
Vulnerability from nvd – Published: 2018-04-04 17:00 – Updated: 2024-08-05 06:17
VLAI
Summary
CSRF exists in the Auth0 authentication service through 14591 if the Legacy Lock API flag is enabled.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://auth0.com/docs/security/bulletins/cve-2018-6874 | x_refsource_MISC |
| http://www.securityfocus.com/bid/103695 | vdb-entryx_refsource_BID |
Date Public
2018-04-04 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T06:17:16.763Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://auth0.com/docs/security/bulletins/cve-2018-6874"
},
{
"name": "103695",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/103695"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-04-04T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "CSRF exists in the Auth0 authentication service through 14591 if the Legacy Lock API flag is enabled."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-04-10T09:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://auth0.com/docs/security/bulletins/cve-2018-6874"
},
{
"name": "103695",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/103695"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-6874",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "CSRF exists in the Auth0 authentication service through 14591 if the Legacy Lock API flag is enabled."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://auth0.com/docs/security/bulletins/cve-2018-6874",
"refsource": "MISC",
"url": "https://auth0.com/docs/security/bulletins/cve-2018-6874"
},
{
"name": "103695",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/103695"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-6874",
"datePublished": "2018-04-04T17:00:00.000Z",
"dateReserved": "2018-02-09T00:00:00.000Z",
"dateUpdated": "2024-08-05T06:17:16.763Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-6873 (GCVE-0-2018-6873)
Vulnerability from nvd – Published: 2018-04-04 17:00 – Updated: 2024-08-05 06:17
VLAI
Summary
The Auth0 authentication service before 2017-10-15 allows privilege escalation because the JWT audience is not validated.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| http://www.securityfocus.com/bid/103695 | vdb-entryx_refsource_BID |
| https://auth0.com/docs/security/bulletins/cve-2018-6873 | x_refsource_MISC |
Date Public
2018-04-04 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T06:17:16.585Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "103695",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/103695"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://auth0.com/docs/security/bulletins/cve-2018-6873"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-04-04T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The Auth0 authentication service before 2017-10-15 allows privilege escalation because the JWT audience is not validated."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-04-10T09:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "103695",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/103695"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://auth0.com/docs/security/bulletins/cve-2018-6873"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-6873",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Auth0 authentication service before 2017-10-15 allows privilege escalation because the JWT audience is not validated."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "103695",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/103695"
},
{
"name": "https://auth0.com/docs/security/bulletins/cve-2018-6873",
"refsource": "MISC",
"url": "https://auth0.com/docs/security/bulletins/cve-2018-6873"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-6873",
"datePublished": "2018-04-04T17:00:00.000Z",
"dateReserved": "2018-02-09T00:00:00.000Z",
"dateUpdated": "2024-08-05T06:17:16.585Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-7307 (GCVE-0-2018-7307)
Vulnerability from nvd – Published: 2018-03-06 15:00 – Updated: 2024-08-05 06:24
VLAI
Summary
The Auth0 Auth0.js library before 9.3 has CSRF because it mishandles the case where the authorization response lacks the state parameter.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://auth0.com/docs/security/bulletins/cve-2018-7307 | x_refsource_CONFIRM |
Date Public
2018-03-06 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T06:24:11.872Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://auth0.com/docs/security/bulletins/cve-2018-7307"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-03-06T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The Auth0 Auth0.js library before 9.3 has CSRF because it mishandles the case where the authorization response lacks the state parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-03-06T14:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://auth0.com/docs/security/bulletins/cve-2018-7307"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-7307",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Auth0 Auth0.js library before 9.3 has CSRF because it mishandles the case where the authorization response lacks the state parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://auth0.com/docs/security/bulletins/cve-2018-7307",
"refsource": "CONFIRM",
"url": "https://auth0.com/docs/security/bulletins/cve-2018-7307"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-7307",
"datePublished": "2018-03-06T15:00:00.000Z",
"dateReserved": "2018-02-21T00:00:00.000Z",
"dateUpdated": "2024-08-05T06:24:11.872Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-17068 (GCVE-0-2017-17068)
Vulnerability from nvd – Published: 2017-12-06 19:00 – Updated: 2024-08-05 20:43
VLAI
Summary
A cross-origin vulnerability has been discovered in the Auth0 auth0.js library affecting versions < 8.12. This vulnerability allows an attacker to acquire authenticated users' tokens and invoke services on a user's behalf if the target site or application uses a popup callback page with auth0.popup.callback().
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://appcheck-ng.com/appcheck-discovers-vulner… | x_refsource_MISC |
| https://auth0.com/docs/security/bulletins/cve-201… | x_refsource_CONFIRM |
Date Public
2017-12-06 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T20:43:59.695Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://appcheck-ng.com/appcheck-discovers-vulnerability-auth0-library-cve-2017-17068/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://auth0.com/docs/security/bulletins/cve-2017-17068"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-12-06T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A cross-origin vulnerability has been discovered in the Auth0 auth0.js library affecting versions \u003c 8.12. This vulnerability allows an attacker to acquire authenticated users\u0027 tokens and invoke services on a user\u0027s behalf if the target site or application uses a popup callback page with auth0.popup.callback()."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-12-15T18:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://appcheck-ng.com/appcheck-discovers-vulnerability-auth0-library-cve-2017-17068/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://auth0.com/docs/security/bulletins/cve-2017-17068"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-17068",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A cross-origin vulnerability has been discovered in the Auth0 auth0.js library affecting versions \u003c 8.12. This vulnerability allows an attacker to acquire authenticated users\u0027 tokens and invoke services on a user\u0027s behalf if the target site or application uses a popup callback page with auth0.popup.callback()."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://appcheck-ng.com/appcheck-discovers-vulnerability-auth0-library-cve-2017-17068/",
"refsource": "MISC",
"url": "https://appcheck-ng.com/appcheck-discovers-vulnerability-auth0-library-cve-2017-17068/"
},
{
"name": "https://auth0.com/docs/security/bulletins/cve-2017-17068",
"refsource": "CONFIRM",
"url": "https://auth0.com/docs/security/bulletins/cve-2017-17068"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-17068",
"datePublished": "2017-12-06T19:00:00.000Z",
"dateReserved": "2017-11-30T00:00:00.000Z",
"dateUpdated": "2024-08-05T20:43:59.695Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-42280 (GCVE-0-2026-42280)
Vulnerability from cvelistv5 – Published: 2026-05-27 14:39 – Updated: 2026-05-28 15:36
VLAI
Title
Improper Permission Checking in Auth.js SDK
Summary
Auth0.js is a client-side JavaScript library for Auth0. From 8.11.0 to 9.32.0, under specific preconditions, the Auth0.js SDK may improperly return user profile information using a valid access token when a specifically crafted invalid ID token is provided. This vulnerability is fixed in 10.0.0.
Severity
7.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/auth0/auth0.js/security/adviso… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42280",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-28T15:36:47.306227Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T15:36:56.102Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "auth0.js",
"vendor": "auth0",
"versions": [
{
"status": "affected",
"version": "\u003e= 8.11.0 , \u003c= 9.32.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Auth0.js is a client-side JavaScript library for Auth0. From 8.11.0 to 9.32.0, under specific preconditions, the Auth0.js SDK may improperly return user profile information using a valid access token when a specifically crafted invalid ID token is provided. This vulnerability is fixed in 10.0.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T14:39:15.789Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/auth0/auth0.js/security/advisories/GHSA-8qjv-jj2q-x832",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/auth0/auth0.js/security/advisories/GHSA-8qjv-jj2q-x832"
}
],
"source": {
"advisory": "GHSA-8qjv-jj2q-x832",
"discovery": "UNKNOWN"
},
"title": "Improper Permission Checking in Auth.js SDK"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42280",
"datePublished": "2026-05-27T14:39:15.789Z",
"dateReserved": "2026-04-26T11:53:27.717Z",
"dateUpdated": "2026-05-28T15:36:56.102Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2020-15125 (GCVE-0-2020-15125)
Vulnerability from cvelistv5 – Published: 2020-07-29 16:25 – Updated: 2024-08-04 13:08
VLAI
Title
Authorization header is not sanitized in an error object in auth0
Summary
In auth0 (npm package) versions before 2.27.1, a DenyList of specific keys that should be sanitized from the request object contained in the error object is used. The key for Authorization header is not sanitized and in certain cases the Authorization header value can be logged exposing a bearer token. You are affected by this vulnerability if you are using the auth0 npm package, and you are using a Machine to Machine application authorized to use Auth0's management API
Severity
7.7 (High)
CWE
- CWE-209 - Generation of Error Message Containing Sensitive Information
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/auth0/node-auth0/security/advi… | x_refsource_CONFIRM |
| https://github.com/auth0/node-auth0/pull/507 | x_refsource_MISC |
| https://github.com/auth0/node-auth0/pull/507/comm… | x_refsource_MISC |
| https://github.com/auth0/node-auth0/tree/v2.27.1 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| auth0 | node-auth0 |
Affected:
< 2.27.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:08:22.304Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/auth0/node-auth0/security/advisories/GHSA-5jpf-pj32-xx53"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/auth0/node-auth0/pull/507"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/auth0/node-auth0/pull/507/commits/62ca61b3348ec8e74d7d00358661af1a8bc98a3c"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/auth0/node-auth0/tree/v2.27.1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "node-auth0",
"vendor": "auth0",
"versions": [
{
"status": "affected",
"version": "\u003c 2.27.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In auth0 (npm package) versions before 2.27.1, a DenyList of specific keys that should be sanitized from the request object contained in the error object is used. The key for Authorization header is not sanitized and in certain cases the Authorization header value can be logged exposing a bearer token. You are affected by this vulnerability if you are using the auth0 npm package, and you are using a Machine to Machine application authorized to use Auth0\u0027s management API"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-209",
"description": "CWE-209: Generation of Error Message Containing Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-29T16:25:15.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/auth0/node-auth0/security/advisories/GHSA-5jpf-pj32-xx53"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/auth0/node-auth0/pull/507"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/auth0/node-auth0/pull/507/commits/62ca61b3348ec8e74d7d00358661af1a8bc98a3c"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/auth0/node-auth0/tree/v2.27.1"
}
],
"source": {
"advisory": "GHSA-5jpf-pj32-xx53",
"discovery": "UNKNOWN"
},
"title": "Authorization header is not sanitized in an error object in auth0",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-15125",
"STATE": "PUBLIC",
"TITLE": "Authorization header is not sanitized in an error object in auth0"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "node-auth0",
"version": {
"version_data": [
{
"version_value": "\u003c 2.27.1"
}
]
}
}
]
},
"vendor_name": "auth0"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In auth0 (npm package) versions before 2.27.1, a DenyList of specific keys that should be sanitized from the request object contained in the error object is used. The key for Authorization header is not sanitized and in certain cases the Authorization header value can be logged exposing a bearer token. You are affected by this vulnerability if you are using the auth0 npm package, and you are using a Machine to Machine application authorized to use Auth0\u0027s management API"
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-209: Generation of Error Message Containing Sensitive Information"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/auth0/node-auth0/security/advisories/GHSA-5jpf-pj32-xx53",
"refsource": "CONFIRM",
"url": "https://github.com/auth0/node-auth0/security/advisories/GHSA-5jpf-pj32-xx53"
},
{
"name": "https://github.com/auth0/node-auth0/pull/507",
"refsource": "MISC",
"url": "https://github.com/auth0/node-auth0/pull/507"
},
{
"name": "https://github.com/auth0/node-auth0/pull/507/commits/62ca61b3348ec8e74d7d00358661af1a8bc98a3c",
"refsource": "MISC",
"url": "https://github.com/auth0/node-auth0/pull/507/commits/62ca61b3348ec8e74d7d00358661af1a8bc98a3c"
},
{
"name": "https://github.com/auth0/node-auth0/tree/v2.27.1",
"refsource": "MISC",
"url": "https://github.com/auth0/node-auth0/tree/v2.27.1"
}
]
},
"source": {
"advisory": "GHSA-5jpf-pj32-xx53",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-15125",
"datePublished": "2020-07-29T16:25:15.000Z",
"dateReserved": "2020-06-25T00:00:00.000Z",
"dateUpdated": "2024-08-04T13:08:22.304Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-5263 (GCVE-0-2020-5263)
Vulnerability from cvelistv5 – Published: 2020-04-09 15:50 – Updated: 2024-08-04 08:22
VLAI
Title
Information disclosure through error object
Summary
auth0.js (NPM package auth0-js) greater than version 8.0.0 and before version 9.12.3 has a vulnerability. In the case of an (authentication) error, the error object returned by the library contains the original request of the user, which may include the plaintext password the user entered. If the error object is exposed or logged without modification, the application risks password exposure. This is fixed in version 9.12.3
Severity
5.5 (Medium)
CWE
- CWE-522 - Insufficiently Protected Credentials
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/auth0/auth0.js/security/adviso… | x_refsource_CONFIRM |
| https://github.com/auth0/auth0.js/commit/355ca749… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:22:09.088Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/auth0/auth0.js/security/advisories/GHSA-prfq-f66g-43mp"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/auth0/auth0.js/commit/355ca749b229fb93142f0b3978399b248d710828"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "auth0.js",
"vendor": "auth0",
"versions": [
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 9.12.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "auth0.js (NPM package auth0-js) greater than version 8.0.0 and before version 9.12.3 has a vulnerability. In the case of an (authentication) error, the error object returned by the library contains the original request of the user, which may include the plaintext password the user entered. If the error object is exposed or logged without modification, the application risks password exposure. This is fixed in version 9.12.3"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-522",
"description": "CWE-522: Insufficiently Protected Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-04-09T15:50:12.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/auth0/auth0.js/security/advisories/GHSA-prfq-f66g-43mp"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/auth0/auth0.js/commit/355ca749b229fb93142f0b3978399b248d710828"
}
],
"source": {
"advisory": "GHSA-prfq-f66g-43mp",
"discovery": "UNKNOWN"
},
"title": "Information disclosure through error object",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-5263",
"STATE": "PUBLIC",
"TITLE": "Information disclosure through error object"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "auth0.js",
"version": {
"version_data": [
{
"version_value": "\u003e= 8.0.0, \u003c 9.12.3"
}
]
}
}
]
},
"vendor_name": "auth0"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "auth0.js (NPM package auth0-js) greater than version 8.0.0 and before version 9.12.3 has a vulnerability. In the case of an (authentication) error, the error object returned by the library contains the original request of the user, which may include the plaintext password the user entered. If the error object is exposed or logged without modification, the application risks password exposure. This is fixed in version 9.12.3"
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-522: Insufficiently Protected Credentials"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/auth0/auth0.js/security/advisories/GHSA-prfq-f66g-43mp",
"refsource": "CONFIRM",
"url": "https://github.com/auth0/auth0.js/security/advisories/GHSA-prfq-f66g-43mp"
},
{
"name": "https://github.com/auth0/auth0.js/commit/355ca749b229fb93142f0b3978399b248d710828",
"refsource": "MISC",
"url": "https://github.com/auth0/auth0.js/commit/355ca749b229fb93142f0b3978399b248d710828"
}
]
},
"source": {
"advisory": "GHSA-prfq-f66g-43mp",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-5263",
"datePublished": "2020-04-09T15:50:12.000Z",
"dateReserved": "2020-01-02T00:00:00.000Z",
"dateUpdated": "2024-08-04T08:22:09.088Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-6874 (GCVE-0-2018-6874)
Vulnerability from cvelistv5 – Published: 2018-04-04 17:00 – Updated: 2024-08-05 06:17
VLAI
Summary
CSRF exists in the Auth0 authentication service through 14591 if the Legacy Lock API flag is enabled.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://auth0.com/docs/security/bulletins/cve-2018-6874 | x_refsource_MISC |
| http://www.securityfocus.com/bid/103695 | vdb-entryx_refsource_BID |
Date Public
2018-04-04 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T06:17:16.763Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://auth0.com/docs/security/bulletins/cve-2018-6874"
},
{
"name": "103695",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/103695"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-04-04T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "CSRF exists in the Auth0 authentication service through 14591 if the Legacy Lock API flag is enabled."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-04-10T09:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://auth0.com/docs/security/bulletins/cve-2018-6874"
},
{
"name": "103695",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/103695"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-6874",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "CSRF exists in the Auth0 authentication service through 14591 if the Legacy Lock API flag is enabled."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://auth0.com/docs/security/bulletins/cve-2018-6874",
"refsource": "MISC",
"url": "https://auth0.com/docs/security/bulletins/cve-2018-6874"
},
{
"name": "103695",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/103695"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-6874",
"datePublished": "2018-04-04T17:00:00.000Z",
"dateReserved": "2018-02-09T00:00:00.000Z",
"dateUpdated": "2024-08-05T06:17:16.763Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-6873 (GCVE-0-2018-6873)
Vulnerability from cvelistv5 – Published: 2018-04-04 17:00 – Updated: 2024-08-05 06:17
VLAI
Summary
The Auth0 authentication service before 2017-10-15 allows privilege escalation because the JWT audience is not validated.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| http://www.securityfocus.com/bid/103695 | vdb-entryx_refsource_BID |
| https://auth0.com/docs/security/bulletins/cve-2018-6873 | x_refsource_MISC |
Date Public
2018-04-04 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T06:17:16.585Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "103695",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/103695"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://auth0.com/docs/security/bulletins/cve-2018-6873"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-04-04T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The Auth0 authentication service before 2017-10-15 allows privilege escalation because the JWT audience is not validated."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-04-10T09:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "103695",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/103695"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://auth0.com/docs/security/bulletins/cve-2018-6873"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-6873",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Auth0 authentication service before 2017-10-15 allows privilege escalation because the JWT audience is not validated."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "103695",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/103695"
},
{
"name": "https://auth0.com/docs/security/bulletins/cve-2018-6873",
"refsource": "MISC",
"url": "https://auth0.com/docs/security/bulletins/cve-2018-6873"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-6873",
"datePublished": "2018-04-04T17:00:00.000Z",
"dateReserved": "2018-02-09T00:00:00.000Z",
"dateUpdated": "2024-08-05T06:17:16.585Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-7307 (GCVE-0-2018-7307)
Vulnerability from cvelistv5 – Published: 2018-03-06 15:00 – Updated: 2024-08-05 06:24
VLAI
Summary
The Auth0 Auth0.js library before 9.3 has CSRF because it mishandles the case where the authorization response lacks the state parameter.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://auth0.com/docs/security/bulletins/cve-2018-7307 | x_refsource_CONFIRM |
Date Public
2018-03-06 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T06:24:11.872Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://auth0.com/docs/security/bulletins/cve-2018-7307"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-03-06T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The Auth0 Auth0.js library before 9.3 has CSRF because it mishandles the case where the authorization response lacks the state parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-03-06T14:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://auth0.com/docs/security/bulletins/cve-2018-7307"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-7307",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Auth0 Auth0.js library before 9.3 has CSRF because it mishandles the case where the authorization response lacks the state parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://auth0.com/docs/security/bulletins/cve-2018-7307",
"refsource": "CONFIRM",
"url": "https://auth0.com/docs/security/bulletins/cve-2018-7307"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-7307",
"datePublished": "2018-03-06T15:00:00.000Z",
"dateReserved": "2018-02-21T00:00:00.000Z",
"dateUpdated": "2024-08-05T06:24:11.872Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-17068 (GCVE-0-2017-17068)
Vulnerability from cvelistv5 – Published: 2017-12-06 19:00 – Updated: 2024-08-05 20:43
VLAI
Summary
A cross-origin vulnerability has been discovered in the Auth0 auth0.js library affecting versions < 8.12. This vulnerability allows an attacker to acquire authenticated users' tokens and invoke services on a user's behalf if the target site or application uses a popup callback page with auth0.popup.callback().
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://appcheck-ng.com/appcheck-discovers-vulner… | x_refsource_MISC |
| https://auth0.com/docs/security/bulletins/cve-201… | x_refsource_CONFIRM |
Date Public
2017-12-06 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T20:43:59.695Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://appcheck-ng.com/appcheck-discovers-vulnerability-auth0-library-cve-2017-17068/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://auth0.com/docs/security/bulletins/cve-2017-17068"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-12-06T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A cross-origin vulnerability has been discovered in the Auth0 auth0.js library affecting versions \u003c 8.12. This vulnerability allows an attacker to acquire authenticated users\u0027 tokens and invoke services on a user\u0027s behalf if the target site or application uses a popup callback page with auth0.popup.callback()."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-12-15T18:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://appcheck-ng.com/appcheck-discovers-vulnerability-auth0-library-cve-2017-17068/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://auth0.com/docs/security/bulletins/cve-2017-17068"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-17068",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A cross-origin vulnerability has been discovered in the Auth0 auth0.js library affecting versions \u003c 8.12. This vulnerability allows an attacker to acquire authenticated users\u0027 tokens and invoke services on a user\u0027s behalf if the target site or application uses a popup callback page with auth0.popup.callback()."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://appcheck-ng.com/appcheck-discovers-vulnerability-auth0-library-cve-2017-17068/",
"refsource": "MISC",
"url": "https://appcheck-ng.com/appcheck-discovers-vulnerability-auth0-library-cve-2017-17068/"
},
{
"name": "https://auth0.com/docs/security/bulletins/cve-2017-17068",
"refsource": "CONFIRM",
"url": "https://auth0.com/docs/security/bulletins/cve-2017-17068"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-17068",
"datePublished": "2017-12-06T19:00:00.000Z",
"dateReserved": "2017-11-30T00:00:00.000Z",
"dateUpdated": "2024-08-05T20:43:59.695Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}