Advisories for Composer/Auth0/Login package

Overview In applications built with the Auth0-PHP SDK, the Bulk User Import endpoint does not validate the file path wrapper or value. Without proper validation, affected applications may accept arbitrary file paths or URLs. Am I affected? You are affected by this vulnerability if you meet the following preconditions: Applications using the Auth0 laravel-auth0 SDK with version between 4.0.0 and 7.18.0, Auth0 laravel-auth0 SDK uses the Auth0-PHP SDK with versions …

Overview The laravel-auth0 SDK contains a critical vulnerability due to insecure deserialization of cookie data. If exploited, since SDKs process cookie content without prior authentication, a threat actor could send a specially crafted cookie containing malicious serialized data. Am I Affected? You are affected by this vulnerability if you meet the following preconditions: Applications using laravel-auth0 SDK, versions between 7.0.0-BETA1 to 7.2.1. Laravel-auth0 SDK uses the Auth0-PHP SDK with version …

Overview Session cookies of applications using the laravel-auth0 SDK configured with CookieStore have authentication tags that can be brute forced, which may result in unauthorized access. Am I Affected? You are affected by this vulnerability if you meet the following pre-conditions: Applications using laravel-auth0 SDK with version <=7.16.0 laravel-auth0 SDK uses the Auth0-PHP SDK with version 8.0.0-BETA1 or higher and below 8.14.0. Session storage configured with CookieStore. Fix Upgrade Auth0/laravel-auth0 …