> ## Documentation Index > Fetch the complete documentation index at: https://auth0.com/llms.txt > Use this file to discover all available pages before exploring further. > CVE-2018-15121: Security vulnerability in deprecated Auth0 middleware for ASP.NET # CVE-2018-15121: Security Vulnerability in auth0-aspnet and auth0-aspnet-owin **Published**: August 6, 2018 **CVE number**: CVE-2018-15121 **Credit**: Kévin Chalet ## Overview All versions of the [auth0-aspnet](https://github.com/auth0/auth0-aspnet) and [auth0-aspnet-owin](https://github.com/auth0/auth0-aspnet-owin) packages have a security vulnerability that leave client applications vulnerable to a Cross-Site Request Forgery (CSRF) attack during authorization and authentication operations. The root cause of this vulnerability is lack of use and verification of the `state` parameter in OAuth 2.0 and OpenID Connect (OIDC) protocols that allows an attacker to inject their authorization code into victim's session. ## Am I affected? If you use any version of `auth0-aspnet` or `auth0-aspnet-owin`, you are affected by this vulnerability. ## How to fix that? Further development of the [auth0-aspnet](https://github.com/auth0/auth0-aspnet) and [auth0-aspnet-owin](https://github.com/auth0/auth0-aspnet-owin) packages has been discontinued. We strongly recommend moving to OWIN 4 and the official `Microsoft.Owin.Security.OpenIdConnect` package, which is not vulnerable. If your application is not currently making use of OWIN, please refer to Microsoft's [OWIN documentation](https://docs.microsoft.com/en-us/aspnet/aspnet/overview/owin-and-katana/) to enable it in your application. ### Will this update impact my users? Current user states and sessions will be invalidated, as different libraries will handle authentication.