Advisories for Composer/Auth0/Symfony package

Overview In applications built with the Auth0-PHP SDK, the Bulk User Import endpoint does not validate the file path wrapper or value. Without proper validation, affected applications may accept arbitrary file paths or URLs. Am I affected? You are affected by this vulnerability if you meet the following preconditions: Applications using the Auth0 Symfony SDK with versions between 2.0.2 and 5.4.1, Auth0 Symfony SDK uses the Auth0-PHP SDK with versions …

Overview The Auth0 Symfony SDK contains a critical vulnerability due to insecure deserialization of cookie data. If exploited, since SDKs process cookie content without prior authentication, a threat actor could send a specially crafted cookie containing malicious serialized data. Am I Affected? You are affected by this vulnerability if you meet the following preconditions: Applications using the Auth0 Symfony SDK, versions between 5.0.0 BETA-0 to 5.0.0. Auth0 Symfony SDK uses …

Overview Session cookies of applications using the Auth0 symfony SDK configured with CookieStore have authentication tags that can be brute forced, which may result in unauthorized access. Am I Affected? You are affected by this vulnerability if you meet the following pre-conditions: Applications using the Auth0 symfony SDK with version <=5.3.1 Auth0/Symfony SDK uses the Auth0-PHP SDK with version 8.0.0-BETA1 or higher and below 8.14.0. Session storage configured with CookieStore. …