In applications built with the Auth0 PHP SDK, cookies are encrypted with insufficient entropy, which may result in threat actors brute-forcing the encryption key and forging session cookies.
In applications built with the Auth0-PHP SDK, the audience validation in access tokens is performed improperly. Without proper validation, affected applications may accept ID tokens as Access tokens.
Overview In applications built with the Auth0-PHP SDK, the Bulk User Import endpoint does not validate the file path wrapper or value. Without proper validation, affected applications may accept arbitrary file paths or URLs. Am I affected? You are affected by this vulnerability if you meet the following preconditions: Applications using the Auth0 laravel-auth0 SDK with version between 4.0.0 and 7.18.0, Auth0 laravel-auth0 SDK uses the Auth0-PHP SDK with versions …
Overview The laravel-auth0 SDK contains a critical vulnerability due to insecure deserialization of cookie data. If exploited, since SDKs process cookie content without prior authentication, a threat actor could send a specially crafted cookie containing malicious serialized data. Am I Affected? You are affected by this vulnerability if you meet the following preconditions: Applications using laravel-auth0 SDK, versions between 7.0.0-BETA1 to 7.2.1. Laravel-auth0 SDK uses the Auth0-PHP SDK with version …
Overview Session cookies of applications using the laravel-auth0 SDK configured with CookieStore have authentication tags that can be brute forced, which may result in unauthorized access. Am I Affected? You are affected by this vulnerability if you meet the following pre-conditions: Applications using laravel-auth0 SDK with version <=7.16.0 laravel-auth0 SDK uses the Auth0-PHP SDK with version 8.0.0-BETA1 or higher and below 8.14.0. Session storage configured with CookieStore. Fix Upgrade Auth0/laravel-auth0 …