Main Vulnerability Database SB2020040928

SB2020040928 - Insufficiently protected credentials in auth0-js

Published: April 9, 2020 Updated: April 17, 2020

Security Bulletin ID SB2020040928

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Insufficiently protected credentials (CVE-ID: CVE-2020-5263)

The vulnerability allows a remote user to gain access to sensitive information on the system.

The vulnerability exists due to the error object returned by the library contains the original request of the user, which may include the plaintext password the user entered. A remote administrator can gain access to sensitive information on the target system.

Remediation

Install update from vendor's website.

References

https://github.com/auth0/auth0.js/commit/355ca749b229fb93142f0b3978399b248d710828
https://github.com/auth0/auth0.js/security/advisories/GHSA-prfq-f66g-43mp