CVE-2018-15121

Published: Aug 29, 2018Modified: Nov 21, 2024

8.8

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

An issue was discovered in Auth0 auth0-aspnet and auth0-aspnet-owin. Affected packages do not use or validate the state parameter of the OAuth 2.0 and OpenID Connect protocols. This leaves applications vulnerable to CSRF attacks during authentication and authorization operations.

Affected (2)

Products: Auth0: Aspnet, Aspnet Owin

2 products

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Auth0 Aspnet	All versions
Auth0 Aspnet Owin	All versions

Related CWEs

Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References (2)

https://auth0.com/docs/security/bulletins/cve-2018-15121

Source: cve@mitre.org

Vendor Advisory

https://auth0.com/docs/security/bulletins/cve-2018-15121

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.