Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
auth0 vulnerabilities and exploits
(subscribe to this query)
8.1
CVSSv3
CVE-2022-23539
Versions `<=8.5.1` of `jsonwebtoken` library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. You are affected if you are using an algorithm and a key type other than a ...
Auth0 Jsonwebtoken
7.6
CVSSv3
CVE-2022-23540
In versions `<=8.5.1` of `jsonwebtoken` library, lack of algorithm definition in the `jwt.verify()` function can lead to signature validation bypass due to defaulting to the `none` algorithm for signature verification. Users are affected if you do not specify algorithms in the...
Auth0 Jsonwebtoken
6.3
CVSSv3
CVE-2022-23541
jsonwebtoken is an implementation of JSON Web Tokens. Versions `<= 8.5.1` of `jsonwebtoken` library can be misconfigured so that passing a poorly implemented key retrieval function referring to the `secretOrPublicKey` argument from the readme link will result in incorrect veri...
Auth0 Jsonwebtoken
6.1
CVSSv3
CVE-2019-20174
Auth0 Lock prior to 11.21.0 allows XSS when additionalSignUpFields is used with an untrusted placeholder.
Auth0 Lock
9.8
CVSSv3
CVE-2015-9235
In jsonwebtoken node module prior to 4.2.2 it is possible for an malicious user to bypass verification when a token digitally signed with an asymmetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family).
Auth0 Jsonwebtoken
7 Github repositories
6.1
CVSSv3
CVE-2022-29172
Auth0 is an authentication broker that supports both social and enterprise identity providers, including Active Directory, LDAP, Google Apps, and Salesforce. In versions before `11.33.0`, when the “additional signup fields” feature [is configured](https://github.com/a...
Auth0 Lock
9.1
CVSSv3
CVE-2020-15084
In express-jwt (NPM package) up and including version 5.3.3, the algorithms entry to be specified in the configuration is not being enforced. When algorithms is not specified in the configuration, with the combination of jwks-rsa, it may lead to authorization bypass. You are affe...
Auth0 Express-jwt
6.5
CVSSv3
CVE-2018-11537
Auth0 angular-jwt prior to 0.1.10 treats whiteListedDomains entries as regular expressions, which allows remote attackers with knowledge of the jwtInterceptorProvider.whiteListedDomains setting to bypass the domain whitelist filter via a crafted domain.
Auth0 Angular-jwt
7.3
CVSSv3
CVE-2019-13483
Auth0 Passport-SharePoint prior to 0.4.0 does not validate the JWT signature of an Access Token before processing. This allows malicious users to forge tokens and bypass authentication and authorization mechanisms.
Auth0 Passport-sharepoint
6.1
CVSSv3
CVE-2022-24794
Express OpenID Connect is an Express JS middleware implementing sign on for Express web apps using OpenID Connect. Users of the `requiresAuth` middleware, either directly or through the default `authRequired` option, are vulnerable to an Open Redirect when the middleware is appli...
Auth0 Express Openid Connect
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-27322
cross-site request forgery
unauthorized
CVE-2024-33925
reflected XSS
CVE-2023-51580
CVE-2023-51579
CVE-2015-2051
CVE-2023-51609
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
« PREV
1
2
3
4
NEXT »