Vulnerabilities > Auth0 > Critical
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-10-21 | CVE-2020-15240 | Improper Verification of Cryptographic Signature vulnerability in Auth0 Omniauth-Auth0 2.3.0/2.3.1/2.4.0 omniauth-auth0 (rubygems) versions >= 2.3.0 and < 2.4.1 improperly validate the JWT token signature when using the `jwt_validator.verify` method. | 9.1 |
| 2020-06-30 | CVE-2020-15084 | Incorrect Authorization vulnerability in Auth0 Express-Jwt In express-jwt (NPM package) up and including version 5.3.3, the algorithms entry to be specified in the configuration is not being enforced. | 9.1 |
| 2020-04-01 | CVE-2020-7947 | Improper Neutralization of Formula Elements in a CSV File vulnerability in Auth0 Login BY Auth0 An issue was discovered in the Login by Auth0 plugin before 4.0.0 for WordPress. | 9.8 |
| 2019-04-11 | CVE-2019-7644 | Information Exposure Through an Error Message vulnerability in Auth0 Auth0-Wcf-Service-Jwt Auth0 Auth0-WCF-Service-JWT before 1.0.4 leaks the expected JWT signature in an error message when it cannot successfully validate the JWT signature. | 9.8 |
| 2018-05-29 | CVE-2015-9235 | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Auth0 Jsonwebtoken In jsonwebtoken node module before 4.2.2 it is possible for an attacker to bypass verification when a token digitally signed with an asymmetric key (RS/ES family) of algorithms but instead the attacker send a token digitally signed with a symmetric algorithm (HS* family). | 9.8 |
| 2018-04-04 | CVE-2018-6873 | Improper Authentication vulnerability in Auth0 Auth0.Js The Auth0 authentication service before 2017-10-15 allows privilege escalation because the JWT audience is not validated. | 9.8 |