Vulnerabilities > Auth0 > Critical

DATE CVE VULNERABILITY TITLE RISK
2020-10-21 CVE-2020-15240 Improper Verification of Cryptographic Signature vulnerability in Auth0 Omniauth-Auth0 2.3.0/2.3.1/2.4.0
omniauth-auth0 (rubygems) versions >= 2.3.0 and < 2.4.1 improperly validate the JWT token signature when using the `jwt_validator.verify` method.
network
low complexity
auth0 CWE-347
critical
9.1
2020-06-30 CVE-2020-15084 Incorrect Authorization vulnerability in Auth0 Express-Jwt
In express-jwt (NPM package) up and including version 5.3.3, the algorithms entry to be specified in the configuration is not being enforced.
network
low complexity
auth0 CWE-863
critical
9.1
2020-04-01 CVE-2020-7947 Improper Neutralization of Formula Elements in a CSV File vulnerability in Auth0 Login BY Auth0
An issue was discovered in the Login by Auth0 plugin before 4.0.0 for WordPress.
network
low complexity
auth0 CWE-1236
critical
9.8
2019-04-11 CVE-2019-7644 Information Exposure Through an Error Message vulnerability in Auth0 Auth0-Wcf-Service-Jwt
Auth0 Auth0-WCF-Service-JWT before 1.0.4 leaks the expected JWT signature in an error message when it cannot successfully validate the JWT signature.
network
low complexity
auth0 CWE-209
critical
9.8
2018-05-29 CVE-2015-9235 Use of a Broken or Risky Cryptographic Algorithm vulnerability in Auth0 Jsonwebtoken
In jsonwebtoken node module before 4.2.2 it is possible for an attacker to bypass verification when a token digitally signed with an asymmetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family).
network
low complexity
auth0 CWE-327
critical
9.8
2018-04-04 CVE-2018-6873 Improper Authentication vulnerability in Auth0 Auth0.Js
The Auth0 authentication service before 2017-10-15 allows privilege escalation because the JWT audience is not validated.
network
low complexity
auth0 CWE-287
critical
9.8