Miggo Logo
Book a Demo
Miggo Vulnerability Database
CVE-2018-7307

CVE-2018-7307:
Auth0-js bypasses CSRF checks

8.8

CVSS Score

Basic Information

CVE ID
CVE-2018-7307
GHSA ID
GHSA-wpq7-q8j4-72jg
EPSS Score
-
CWE
CWE-352
Published
3/7/2018
Updated
1/9/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
auth0-jsnpm< 9.3.09.3.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper CSRF protection in the OAuth response handling. The primary function involved in processing authorization responses in auth0-js is WebAuth.parseHash, which would be responsible for validating the state parameter. In vulnerable versions (<9.3), this function allowed CSRF checks to be bypassed when the state parameter was missing. The security bulletin explicitly states the state parameter validation was missing in authorization response handling, and parseHash is the core function that would perform this validation in Auth0.js implementations. While no direct patch code is shown, the advisory confirms the fix required adding proper state validation checks in this critical authentication flow function.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** *ut**.js li*r*ry **s * vuln*r**ility *****tin* v*rsions **low *.* t**t *llows *n *tt**k*r to *yp*ss t** *SR* ****k *rom t** st*t* p*r*m*t*r i* it's missin* *rom t** *ut*oriz*tion r*spons*, l**vin* t** *li*nt vuln*r**l* to *SR* *tt**ks.

Reasoning

T** vuln*r**ility st*ms *rom improp*r *SR* prot**tion in t** O*ut* r*spons* **n*lin*. T** prim*ry *un*tion involv** in pro**ssin* *ut*oriz*tion r*spons*s in *ut**-js is W***ut*.p*rs***s*, w*i** woul* ** r*sponsi*l* *or v*li**tin* t** st*t* p*r*m*t*r.