Vulnerabilities > Auth0
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-04-01 | CVE-2020-5391 | Cross-Site Request Forgery (CSRF) vulnerability in Auth0 Wp-Auth0 Cross-site request forgery (CSRF) vulnerabilities exist in the Auth0 plugin before 4.0.0 for WordPress via the domain field. | 8.8 |
| 2020-02-05 | CVE-2019-20173 | Cross-site Scripting vulnerability in Auth0 Login BY Auth0 3.11.0/3.11.1/3.11.2 The Auth0 wp-auth0 plugin 3.11.x before 3.11.3 for WordPress allows XSS via a wle parameter associated with wp-login.php. | 6.1 |
| 2020-02-03 | CVE-2019-20174 | Cross-site Scripting vulnerability in Auth0 Lock Auth0 Lock before 11.21.0 allows XSS when additionalSignUpFields is used with an untrusted placeholder. | 6.1 |
| 2019-10-08 | CVE-2019-16929 | Improper Authentication vulnerability in Auth0 Auth0.Net Auth0 auth0.net before 6.5.4 has Incorrect Access Control because IdentityTokenValidator can be accidentally used to validate untrusted ID tokens. | 7.5 |
| 2019-07-25 | CVE-2019-13483 | Insufficient Verification of Data Authenticity vulnerability in Auth0 Passport-Sharepoint 0.3.0 Auth0 Passport-SharePoint before 0.4.0 does not validate the JWT signature of an Access Token before processing. | 7.3 |
| 2019-04-11 | CVE-2019-7644 | Information Exposure Through an Error Message vulnerability in Auth0 Auth0-Wcf-Service-Jwt Auth0 Auth0-WCF-Service-JWT before 1.0.4 leaks the expected JWT signature in an error message when it cannot successfully validate the JWT signature. | 9.8 |
| 2018-08-29 | CVE-2018-15121 | Cross-Site Request Forgery (CSRF) vulnerability in Auth0 Aspnet and Aspnet-Owin An issue was discovered in Auth0 auth0-aspnet and auth0-aspnet-owin. | 8.8 |
| 2018-06-19 | CVE-2018-11537 | Improper Input Validation vulnerability in Auth0 Angular-Jwt Auth0 angular-jwt before 0.1.10 treats whiteListedDomains entries as regular expressions, which allows remote attackers with knowledge of the jwtInterceptorProvider.whiteListedDomains setting to bypass the domain whitelist filter via a crafted domain. | 6.5 |
| 2018-05-29 | CVE-2015-9235 | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Auth0 Jsonwebtoken In jsonwebtoken node module before 4.2.2 it is possible for an attacker to bypass verification when a token digitally signed with an asymmetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family). | 9.8 |
| 2018-04-04 | CVE-2018-6874 | Cross-Site Request Forgery (CSRF) vulnerability in Auth0 Auth0.Js CSRF exists in the Auth0 authentication service through 14591 if the Legacy Lock API flag is enabled. | 8.8 |