> ## Documentation Index
> Fetch the complete documentation index at: https://auth0.com/llms.txt
> Use this file to discover all available pages before exploring further.

> CVE-2018-6874: Details about a security vulnerability identified in the Auth0 authentication service

# CVE-2018-6874: Security Vulnerability in the Auth0 Authentication Service

**Published**: April 4, 2018

**CVE number**: CVE-2018-6874

**Credit**: Internal

## Overview

A vulnerability has been identified in the Auth0 authentication service. Tenants of the service with the Legacy Lock API flag enabled in the service’s management dashboard are affected. If the flag is not visible, it is disabled. Disabling the flag may break applications employing the auth0.js library with version `< 9.0.0` or the Lock library with version `< 11.0.0` for crossdomain username/password based authentication - also known as [embedded login](/docs/authenticate/login/universal-vs-embedded-login). Further, any cross-domain use of the `/usernamepassword/login` authentication api endpoint outside of those libraries may also be affected.

After the verification of user credentials on `/usernamepassword/login`, an HTML form is rendered into the user’s browser and automatically executed. It POSTs a <Tooltip tip="JSON Web Token (JWT): Standard ID Token format (and often Access Token format) used to represent claims securely between two parties." cta="View Glossary" href="/docs/glossary?term=JSON+Web+Token">JSON Web Token</Tooltip> (JWT) to the `/login/callback` endpoint. This authenticated token maintains state regarding the identity of the user; this cannot be done directly due to crossdomain session management restrictions maintained by most modern browsers. Due to the lack of session binding, this form post is susceptible to [CSRF](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_\(CSRF\)). An attacker with valid user credentials at an Auth0 tenant can use them to gain such a form, and then employ techniques such as social engineering or clickjacking to have a victim’s browser execute it. The victim will then have a login session at the Auth0 tenant under the attacker’s account - and therefore be recognized as the attacker by any downstream application in its federation. Should the user undertake any actions while maliciously logged in as such, those actions and any related information will be visible to the attacker.

The attack does not allow any escalation of privileges on behalf of the attacker, and the victim’s actions visible to the attacker are restricted to whatever permissions have been granted to that attacker within the system. The victim will also be fully recognized as the attacker within the federation, and so may be shown account information or other context clues that reveal they are not operating within the auspices of their own account.

## Am I affected?

You are affected if you employ username/password authentication (with any database and/or connection) for your Auth0 tenant, and the Legacy Lock API flag in the Auth0 management dashboard is visible and flagged on.

## How to fix that?

To mitigate the vulnerability, toggle the flag to off. The `/usernamepassword/login` endpoint will still work for logins from the <Tooltip tip="Universal Login: Your application redirects to Universal Login, hosted on Auth0's Authorization Server, to verify a user's identity." cta="View Glossary" href="/docs/glossary?term=Universal+Login">Universal Login</Tooltip> page hosted on `/login`, however these - as same-domain logins - will be protected from CSRF. Otherwise, toggling the flag will disable cross-domain authentication on that endpoint.

For applications employing auth0.js version `< 9.0.0` or Lock version `< 11.0.0`, this may break user logins. Upgrading to auth0.js version `> 9.0.0` or Lock version `> 11.0.0` will restore embedded username/password authentication using cross-origin authentication (note the limitations). Applications are also encouraged to migrate to Universal Login.

Private SaaS Appliances running versions `> 14591` with the Legacy Lock API flag set to off are not affected by this vulnerability.

### Will this update impact my users?

If the Legacy Lock API is disabled without applications having migrated, then all user logins employing the affected functionality will break. Auth0 intends to enforce disablement of the Legacy Lock API for all tenants on July 16th, 2018. The choice of migration may affect the specific user experience of logging into your service, however users, their information, and their sessions will not be otherwise impacted.