Azure Active Directory (ADAL) support for ReactJS
latest non vulnerable version
5 years ago
latest version published
2 years ago
Known vulnerabilities in the react-adal package. This does not include vulnerabilities belonging to this package’s dependencies.Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
react-adal is an Azure Active Directory Library (ADAL) support for ReactJS. Affected versions of this package are vulnerable to Improper Authentication. It is possible for a specially crafted JWT token and request URL can cause the nonce, session and refresh values to be incorrectly validated, causing the application to treat an attacker-generated JWT token as authentic.
The logical defect is caused by how the nonce, session and refresh values are stored in the browser local storage or session storage. Each key is automatically appended by
When the received nonce and session keys are generated, the list of values is stored in the browser storage, separated by
How to fix Improper Authentication?