Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
auth0 vulnerabilities and exploits
(subscribe to this query)
9.1
CVSSv3
CVE-2020-15240
omniauth-auth0 (rubygems) versions >= 2.3.0 and < 2.4.1 improperly validate the JWT token signature when using the `jwt_validator.verify` method. Improper validation of the JWT token signature can allow an malicious user to bypass authentication and authorization. You are a...
Auth0 Omniauth-auth0
4.9
CVSSv3
CVE-2020-5263
auth0.js (NPM package auth0-js) greater than version 8.0.0 and before version 9.12.3 has a vulnerability. In the case of an (authentication) error, the error object returned by the library contains the original request of the user, which may include the plaintext password the use...
Auth0 Auth0.js
9.8
CVSSv3
CVE-2020-7947
An issue exists in the Login by Auth0 plugin prior to 4.0.0 for WordPress. It has numerous fields that can contain data that is pulled from different sources. One issue with this is that the data isn't sanitized, and no input validation is performed, before the exporting of ...
Auth0 Login By Auth0
6.1
CVSSv3
CVE-2019-20173
The Auth0 wp-auth0 plugin 3.11.x prior to 3.11.3 for WordPress allows XSS via a wle parameter associated with wp-login.php.
Auth0 Login By Auth0
8.8
CVSSv3
CVE-2020-7948
An issue exists in the Login by Auth0 plugin prior to 4.0.0 for WordPress. A user can perform an insecure direct object reference.
Auth0 Login By Auth0
6.1
CVSSv3
CVE-2020-6753
The Login by Auth0 plugin prior to 4.0.0 for WordPress allows stored XSS on multiple pages, a different issue than CVE-2020-5392.
Auth0 Login By Auth0
8.8
CVSSv3
CVE-2018-15121
An issue exists in Auth0 auth0-aspnet and auth0-aspnet-owin. Affected packages do not use or validate the state parameter of the OAuth 2.0 and OpenID Connect protocols. This leaves applications vulnerable to CSRF attacks during authentication and authorization operations.
Auth0 Aspnet-owin -
Auth0 Aspnet -
9.8
CVSSv3
CVE-2019-7644
Auth0 Auth0-WCF-Service-JWT prior to 1.0.4 leaks the expected JWT signature in an error message when it cannot successfully validate the JWT signature. If this error message is presented to an attacker, they can forge an arbitrary JWT token that will be accepted by the vulnerable...
Auth0 Auth0-wcf-service-jwt
5.4
CVSSv3
CVE-2020-15119
In auth0-lock versions before and including 11.25.1, dangerouslySetInnerHTML is used to update the DOM. When dangerouslySetInnerHTML is used, the application and its users might be exposed to cross-site scripting (XSS) attacks.
Auth0 Lock
6.1
CVSSv3
CVE-2021-32641
auth0-lock is Auth0's signin solution. Versions of nauth0-lock before and including `11.30.0` are vulnerable to reflected XSS. An attacker can execute arbitrary code when the library's `flashMessage` feature is utilized and user input or data from URL parameters is inco...
Auth0 Lock
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
encryption
CVE-2024-4331
CVE-2024-26925
arbitrary code
CVE-2006-4304
CVE-2024-25458
CVE-2024-27077
reflected XSS
CVE-2024-4059
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
« PREV
1
2
3
4
NEXT »