Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
auth0 vulnerabilities and exploits
(subscribe to this query)
8.1
CVSSv3
CVE-2022-23539
Versions `<=8.5.1` of `jsonwebtoken` library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. You are affected if you are using an algorithm and a key type other than a ...
Auth0 Jsonwebtoken
7.6
CVSSv3
CVE-2022-23540
In versions `<=8.5.1` of `jsonwebtoken` library, lack of algorithm definition in the `jwt.verify()` function can lead to signature validation bypass due to defaulting to the `none` algorithm for signature verification. Users are affected if you do not specify algorithms in the...
Auth0 Jsonwebtoken
6.3
CVSSv3
CVE-2022-23541
jsonwebtoken is an implementation of JSON Web Tokens. Versions `<= 8.5.1` of `jsonwebtoken` library can be misconfigured so that passing a poorly implemented key retrieval function referring to the `secretOrPublicKey` argument from the readme link will result in incorrect veri...
Auth0 Jsonwebtoken
6.1
CVSSv3
CVE-2022-29172
Auth0 is an authentication broker that supports both social and enterprise identity providers, including Active Directory, LDAP, Google Apps, and Salesforce. In versions before `11.33.0`, when the “additional signup fields” feature [is configured](https://github.com/a...
Auth0 Lock
9.8
CVSSv3
CVE-2015-9235
In jsonwebtoken node module prior to 4.2.2 it is possible for an malicious user to bypass verification when a token digitally signed with an asymmetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family).
Auth0 Jsonwebtoken
7 Github repositories
5.4
CVSSv3
CVE-2020-15119
In auth0-lock versions before and including 11.25.1, dangerouslySetInnerHTML is used to update the DOM. When dangerouslySetInnerHTML is used, the application and its users might be exposed to cross-site scripting (XSS) attacks.
Auth0 Lock
7.3
CVSSv3
CVE-2019-13483
Auth0 Passport-SharePoint prior to 0.4.0 does not validate the JWT signature of an Access Token before processing. This allows malicious users to forge tokens and bypass authentication and authorization mechanisms.
Auth0 Passport-sharepoint
9.1
CVSSv3
CVE-2020-15084
In express-jwt (NPM package) up and including version 5.3.3, the algorithms entry to be specified in the configuration is not being enforced. When algorithms is not specified in the configuration, with the combination of jwks-rsa, it may lead to authorization bypass. You are affe...
Auth0 Express-jwt
6.5
CVSSv3
CVE-2018-11537
Auth0 angular-jwt prior to 0.1.10 treats whiteListedDomains entries as regular expressions, which allows remote attackers with knowledge of the jwtInterceptorProvider.whiteListedDomains setting to bypass the domain whitelist filter via a crafted domain.
Auth0 Angular-jwt
8.1
CVSSv3
CVE-2017-16897
A vulnerability has been discovered in the Auth0 passport-wsfed-saml2 library affecting versions < 3.0.5. This vulnerability allows an malicious user to impersonate another user and potentially elevate their privileges if the SAML identity provider does not sign the full SAML ...
Auth0 Passport-wsfed-saml2
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-23316
SQL injection
type confusion
CVE-2024-20697
CVE-2024-4344
local
CVE-2024-30043
CVE-2024-3821
CVE-2024-5041
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
« PREV
1
2
3
4
NEXT »