CVE-2018-15121
HIGHAuth0 auth0-aspnet and auth0-aspnet-owin - Cross-Site Request Forgery via Unvalidated OAuth State Parameter
Title source: llmDescription
An issue was discovered in Auth0 auth0-aspnet and auth0-aspnet-owin. Affected packages do not use or validate the state parameter of the OAuth 2.0 and OpenID Connect protocols. This leaves applications vulnerable to CSRF attacks during authentication and authorization operations.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_confirm
https://auth0.com/docs/security/bulletins/cve-2018-15121
Scores
CVSS v3
8.8
EPSS
0.0014
EPSS Percentile
33.8%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Details
CWE
CWE-352
Status
published
Products (4)
auth0/aspnet
auth0/aspnet-owin
nuget/auth0-aspnet
0NuGet
nuget/Auth0-ASPNET-Owin
0NuGet
Published
Aug 29, 2018
Tracked Since
Feb 18, 2026