PT-2022-20572 · Unknown · Lti 1.3 Tool Library

Name of the Vulnerable Software and Affected Versions: LTI 1.3 Tool Library versions prior to 5.0 Description: The issue concerns the function used to generate random nonces, which was not sufficiently cryptographically complex. This could make values predictable and tokens forgable. There are no...

GHSA-GJCW-V447-2W7Q Forgeable Public/Private Tokens in jws

Affected versions of the jws package allow users to select what algorithm the server will use to verify a provided JWT. A malicious actor can use this behaviour to arbitrarily modify the contents of a JWT while still passing verification. For the common use case of the JWT as a bearer token, the...