Advisories for Composer/Auth0/Auth0-Php package

Overview In applications built with the Auth0-PHP SDK, the Bulk User Import endpoint does not validate the file path wrapper or value. Without proper validation, affected applications may accept arbitrary file paths or URLs. Am I affected? You are affected by this vulnerability if you meet the following preconditions: Applications using the Auth0-PHP SDK, versions between v3.3.0 and v8.16.0, or Applications using the following SDKs that rely on the Auth0-PHP …

Overview The Auth0 PHP SDK contains a vulnerability due to insecure deserialization of cookie data. If exploited, since SDKs process cookie content without prior authentication, a threat actor could send a specially crafted cookie containing malicious serialized data. Am I Affected? You are affected by this vulnerability if you meet the following preconditions: Applications using the Auth0-PHP SDK, versions between 8.0.0-BETA3 to 8.3.0. Applications using the following SDKs that rely …

Overview Session cookies of applications using the Auth0-PHP SDK configured with CookieStore have authentication tags that can be brute forced, which may result in unauthorized access. Am I Affected? You are affected by this vulnerability if you meet the following pre-conditions: Applications using the Auth0-PHP SDK, or the following SDKs that rely on the Auth0-PHP SDK: a. Auth0/symfony, b. Auth0/laravel-auth0, c. Auth0/wordpress, Session storage configured with CookieStore. Fix Upgrade Auth0/Auth0-PHP …