CVE Vulnerability

CVE-2020-5263

auth0.js (NPM package auth0-js) greater than version 8.0.0 and before version 9.12.3 has a vulnerability. In the case of an (authentication) error, the error object returned by the library contains the original request of the user, which may include the plaintext password the user entered. If the error object is exposed or logged without modification, the application risks password exposure. This is fixed in version 9.12.3

4 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 8 / Impact : 2.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

Scope

4.9 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/auth0/auth0.js/commit/355ca749b229fb93142f0b3978399b248d710828 Patch Third Party Advisory
https://github.com/auth0/auth0.js/security/advisories/GHSA-prfq-f66g-43mp Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:auth0:auth0.js:*:*:*:*:*:*:*:*
Information

Published : 2020-04-09 04:15

Updated : 2020-04-10 01:25

NVD link : CVE-2020-5263

Mitre link : CVE-2020-5263

Products Affected
No products.
CWE
CWE-522