{"id":"CVE-2017-17068","details":"A cross-origin vulnerability has been discovered in the Auth0 auth0.js library affecting versions \u003c 8.12. This vulnerability allows an attacker to acquire authenticated users' tokens and invoke services on a user's behalf if the target site or application uses a popup callback page with auth0.popup.callback().","aliases":["GHSA-3rpr-mg43-xhq4"],"modified":"2026-03-14T09:24:50.723158Z","published":"2017-12-06T19:29:00.233Z","references":[{"type":"REPORT","url":"https://appcheck-ng.com/appcheck-discovers-vulnerability-auth0-library-cve-2017-17068/"},{"type":"REPORT","url":"https://auth0.com/docs/security/bulletins/cve-2017-17068"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/auth0/auth0.js","events":[{"introduced":"0"},{"fixed":"9483a316e9c1f31670e7ce806725761055a7f6d1"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"8.12"}]}}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-17068.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}