The Auth0 authentication service prior to 2017-10-15 allows privilege escalation because the JWT audience is not validated.
auth0 auth0.js