Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): auth0
  • Search Type: Search All
There are 26 matching records.
Displaying matches 1 through 20.
Vuln ID Summary CVSS Severity
CVE-2020-15259

ad-ldap-connector's admin panel before version 5.0.13 does not provide csrf protection, which when exploited may result in remote code execution or confidential data loss. CSRF exploits may occur if the user visits a malicious page containing CSRF payload on the same machine that has access to the ad-ldap-connector admin console via a browser. You may be affected if you use the admin console included with ad-ldap-connector versions <=5.0.12. If you do not have ad-ldap-connector admin console enabled or do not visit any other public URL while on the machine it is installed on, you are not affected. The issue is fixed in version 5.0.13.

Published: November 06, 2020; 3:15:11 PM -0500
V3.1: 8.8 HIGH
V2.0: 6.8 MEDIUM
CVE-2020-15240

omniauth-auth0 (rubygems) versions >= 2.3.0 and < 2.4.1 improperly validate the JWT token signature when using the `jwt_validator.verify` method. Improper validation of the JWT token signature can allow an attacker to bypass authentication and authorization. You are affected by this vulnerability if all of the following conditions apply: 1. You are using `omniauth-auth0`. 2. You are using `JWTValidator.verify` method directly OR you are not authenticating using the SDK’s default Authorization Code Flow. The issue is patched in version 2.4.1.

Published: October 21, 2020; 2:15:12 PM -0400
V3.1: 9.1 CRITICAL
V2.0: 5.8 MEDIUM
CVE-2020-15119

In auth0-lock versions before and including 11.25.1, dangerouslySetInnerHTML is used to update the DOM. When dangerouslySetInnerHTML is used, the application and its users might be exposed to cross-site scripting (XSS) attacks.

Published: August 19, 2020; 9:17:11 PM -0400
V3.1: 5.4 MEDIUM
V2.0: 3.5 LOW
CVE-2020-15125

In auth0 (npm package) versions before 2.27.1, a DenyList of specific keys that should be sanitized from the request object contained in the error object is used. The key for Authorization header is not sanitized and in certain cases the Authorization header value can be logged exposing a bearer token. You are affected by this vulnerability if you are using the auth0 npm package, and you are using a Machine to Machine application authorized to use Auth0's management API

Published: July 29, 2020; 1:15:13 PM -0400
V3.1: 7.7 HIGH
V2.0: 4.0 MEDIUM
CVE-2020-15084

In express-jwt (NPM package) up and including version 5.3.3, the algorithms entry to be specified in the configuration is not being enforced. When algorithms is not specified in the configuration, with the combination of jwks-rsa, it may lead to authorization bypass. You are affected by this vulnerability if all of the following conditions apply: - You are using express-jwt - You do not have **algorithms** configured in your express-jwt configuration. - You are using libraries such as jwks-rsa as the **secret**. You can fix this by specifying **algorithms** in the express-jwt configuration. See linked GHSA for example. This is also fixed in version 6.0.0.

Published: June 30, 2020; 12:15:15 PM -0400
V3.1: 9.1 CRITICAL
V2.0: 4.3 MEDIUM
CVE-2020-5263

auth0.js (NPM package auth0-js) greater than version 8.0.0 and before version 9.12.3 has a vulnerability. In the case of an (authentication) error, the error object returned by the library contains the original request of the user, which may include the plaintext password the user entered. If the error object is exposed or logged without modification, the application risks password exposure. This is fixed in version 9.12.3

Published: April 09, 2020; 12:15:12 PM -0400
V3.1: 4.9 MEDIUM
V2.0: 4.0 MEDIUM
CVE-2020-7948

An issue was discovered in the Login by Auth0 plugin before 4.0.0 for WordPress. A user can perform an insecure direct object reference.

Published: April 01, 2020; 9:15:15 AM -0400
V3.1: 8.8 HIGH
V2.0: 6.5 MEDIUM
CVE-2020-7947

An issue was discovered in the Login by Auth0 plugin before 4.0.0 for WordPress. It has numerous fields that can contain data that is pulled from different sources. One issue with this is that the data isn't sanitized, and no input validation is performed, before the exporting of the user data. This can lead to (at least) CSV injection if a crafted Excel document is uploaded.

Published: April 01, 2020; 9:15:15 AM -0400
V3.1: 9.8 CRITICAL
V2.0: 7.5 HIGH
CVE-2020-6753

The Login by Auth0 plugin before 4.0.0 for WordPress allows stored XSS on multiple pages, a different issue than CVE-2020-5392.

Published: April 01, 2020; 9:15:15 AM -0400
V3.1: 6.1 MEDIUM
V2.0: 4.3 MEDIUM
CVE-2020-5392

A stored cross-site scripting (XSS) vulnerability exists in the Auth0 plugin before 4.0.0 for WordPress via the settings page.

Published: April 01, 2020; 9:15:15 AM -0400
V3.1: 6.1 MEDIUM
V2.0: 4.3 MEDIUM
CVE-2020-5391

Cross-site request forgery (CSRF) vulnerabilities exist in the Auth0 plugin before 4.0.0 for WordPress via the domain field.

Published: April 01, 2020; 9:15:15 AM -0400
V3.1: 8.8 HIGH
V2.0: 6.8 MEDIUM
CVE-2019-20173

The Auth0 wp-auth0 plugin 3.11.x before 3.11.3 for WordPress allows XSS via a wle parameter associated with wp-login.php.

Published: February 05, 2020; 3:15:11 PM -0500
V3.1: 6.1 MEDIUM
V2.0: 4.3 MEDIUM
CVE-2019-20174

Auth0 Lock before 11.21.0 allows XSS when additionalSignUpFields is used with an untrusted placeholder.

Published: February 03, 2020; 1:15:12 PM -0500
V3.1: 6.1 MEDIUM
V2.0: 4.3 MEDIUM
CVE-2019-16929

Auth0 auth0.net before 6.5.4 has Incorrect Access Control because IdentityTokenValidator can be accidentally used to validate untrusted ID tokens.

Published: October 08, 2019; 9:15:15 AM -0400
V3.1: 7.5 HIGH
V2.0: 5.0 MEDIUM
CVE-2019-13483

Auth0 Passport-SharePoint before 0.4.0 does not validate the JWT signature of an Access Token before processing. This allows attackers to forge tokens and bypass authentication and authorization mechanisms.

Published: July 25, 2019; 4:15:11 PM -0400
V3.0: 7.3 HIGH
V2.0: 7.5 HIGH
CVE-2019-7644

Auth0 Auth0-WCF-Service-JWT before 1.0.4 leaks the expected JWT signature in an error message when it cannot successfully validate the JWT signature. If this error message is presented to an attacker, they can forge an arbitrary JWT token that will be accepted by the vulnerable application.

Published: April 11, 2019; 4:29:00 PM -0400
V3.0: 9.8 CRITICAL
V2.0: 7.5 HIGH
CVE-2018-15121

An issue was discovered in Auth0 auth0-aspnet and auth0-aspnet-owin. Affected packages do not use or validate the state parameter of the OAuth 2.0 and OpenID Connect protocols. This leaves applications vulnerable to CSRF attacks during authentication and authorization operations.

Published: August 28, 2018; 11:29:00 PM -0400
V3.0: 8.8 HIGH
V2.0: 6.8 MEDIUM
CVE-2018-11537

Auth0 angular-jwt before 0.1.10 treats whiteListedDomains entries as regular expressions, which allows remote attackers with knowledge of the jwtInterceptorProvider.whiteListedDomains setting to bypass the domain whitelist filter via a crafted domain.

Published: June 19, 2018; 3:29:00 PM -0400
V3.0: 6.5 MEDIUM
V2.0: 4.3 MEDIUM
CVE-2016-10555

Since "algorithm" isn't enforced in jwt.decode()in jwt-simple 0.3.0 and earlier, a malicious user could choose what algorithm is sent sent to the server. If the server is expecting RSA but is sent HMAC-SHA with RSA's public key, the server will think the public key is actually an HMAC private key. This could be used to forge any data an attacker wants.

Published: May 31, 2018; 4:29:02 PM -0400
V3.0: 6.5 MEDIUM
V2.0: 4.0 MEDIUM
CVE-2015-9235

In jsonwebtoken node module before 4.2.2 it is possible for an attacker to bypass verification when a token digitally signed with an asymmetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family).

Published: May 29, 2018; 4:29:00 PM -0400
V3.0: 9.8 CRITICAL
V2.0: 7.5 HIGH