CVE-2017-17068

HIGH

auth0.js < 8.12 - Unauthenticated Exposure of Sensitive Information via Popup Callback

Title source: llm
STIX 2.1

Description

A cross-origin vulnerability has been discovered in the Auth0 auth0.js library affecting versions < 8.12. This vulnerability allows an attacker to acquire authenticated users' tokens and invoke services on a user's behalf if the target site or application uses a popup callback page with auth0.popup.callback().

References (2)

Core 2
Core References
Exploit, Issue Tracking, Third Party Advisory x_refsource_misc
https://appcheck-ng.com/appcheck-discovers-vulnerability-auth0-library-cve-2017-17068/
Issue Tracking, Vendor Advisory x_refsource_confirm
https://auth0.com/docs/security/bulletins/cve-2017-17068

Scores

CVSS v3 7.5
EPSS 0.0142
EPSS Percentile 69.6%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-200
Status published
Products (2)
auth0/auth0.js < 8.12
npm/auth0-js 0 - 8.12.0npm
Published Dec 06, 2017
Tracked Since Feb 18, 2026