Filtered by vendor Auth0
Subscribe
Search
Total
6 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-15240 | 1 Auth0 | 1 Omniauth-auth0 | 2021-11-18 | 5.8 MEDIUM | 9.1 CRITICAL |
| omniauth-auth0 (rubygems) versions >= 2.3.0 and < 2.4.1 improperly validate the JWT token signature when using the `jwt_validator.verify` method. Improper validation of the JWT token signature can allow an attacker to bypass authentication and authorization. You are affected by this vulnerability if all of the following conditions apply: 1. You are using `omniauth-auth0`. 2. You are using `JWTValidator.verify` method directly OR you are not authenticating using the SDK’s default Authorization Code Flow. The issue is patched in version 2.4.1. | |||||
| CVE-2020-7947 | 1 Auth0 | 1 Login By Auth0 | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in the Login by Auth0 plugin before 4.0.0 for WordPress. It has numerous fields that can contain data that is pulled from different sources. One issue with this is that the data isn't sanitized, and no input validation is performed, before the exporting of the user data. This can lead to (at least) CSV injection if a crafted Excel document is uploaded. | |||||
| CVE-2019-7644 | 1 Auth0 | 1 Auth0-wcf-service-jwt | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| Auth0 Auth0-WCF-Service-JWT before 1.0.4 leaks the expected JWT signature in an error message when it cannot successfully validate the JWT signature. If this error message is presented to an attacker, they can forge an arbitrary JWT token that will be accepted by the vulnerable application. | |||||
| CVE-2020-15084 | 1 Auth0 | 1 Express-jwt | 2020-07-08 | 4.3 MEDIUM | 9.1 CRITICAL |
| In express-jwt (NPM package) up and including version 5.3.3, the algorithms entry to be specified in the configuration is not being enforced. When algorithms is not specified in the configuration, with the combination of jwks-rsa, it may lead to authorization bypass. You are affected by this vulnerability if all of the following conditions apply: - You are using express-jwt - You do not have **algorithms** configured in your express-jwt configuration. - You are using libraries such as jwks-rsa as the **secret**. You can fix this by specifying **algorithms** in the express-jwt configuration. See linked GHSA for example. This is also fixed in version 6.0.0. | |||||
| CVE-2015-9235 | 1 Auth0 | 1 Jsonwebtoken | 2019-10-09 | 7.5 HIGH | 9.8 CRITICAL |
| In jsonwebtoken node module before 4.2.2 it is possible for an attacker to bypass verification when a token digitally signed with an asymmetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family). | |||||
| CVE-2018-6873 | 1 Auth0 | 1 Auth0.js | 2019-10-03 | 7.5 HIGH | 9.8 CRITICAL |
| The Auth0 authentication service before 2017-10-15 allows privilege escalation because the JWT audience is not validated. | |||||