CVE-2017-17068
HIGHauth0.js < 8.12 - Unauthenticated Exposure of Sensitive Information via Popup Callback
Title source: llmDescription
A cross-origin vulnerability has been discovered in the Auth0 auth0.js library affecting versions < 8.12. This vulnerability allows an attacker to acquire authenticated users' tokens and invoke services on a user's behalf if the target site or application uses a popup callback page with auth0.popup.callback().
References (2)
Core 2
Core References
Exploit, Issue Tracking, Third Party Advisory x_refsource_misc
https://appcheck-ng.com/appcheck-discovers-vulnerability-auth0-library-cve-2017-17068/
Issue Tracking, Vendor Advisory x_refsource_confirm
https://auth0.com/docs/security/bulletins/cve-2017-17068
Scores
CVSS v3
7.5
EPSS
0.0142
EPSS Percentile
69.6%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-200
Status
published
Products (2)
auth0/auth0.js
< 8.12
npm/auth0-js
0 - 8.12.0npm
Published
Dec 06, 2017
Tracked Since
Feb 18, 2026