Lucene search
K

12 matches found

OSV
OSV
added 2026/03/02 11:46 a.m.4 views

BIT-PARSE-2026-27804 Parse Server: Account takeover via JWT algorithm confusion in Google auth adapter

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.3 and 9.3.1, an unauthenticated attacker can forge a Google authentication token with alg: "none" to log in as any user linked to a Google account, without knowing their...

9.3CVSS5.8AI score0.00176EPSS
Exploits0References6
Github Security Blog
Github Security Blog
added 2026/02/25 11:0 p.m.12 views

Parse Server: Account takeover via JWT algorithm confusion in Google auth adapter

Impact An unauthenticated attacker can forge a Google authentication token with alg: "none" to log in as any user linked to a Google account, without knowing their credentials. All deployments with Google authentication enabled are affected. Patches The fix hardcodes the expected RS256 algorithm...

9.3CVSS5.5AI score0.00176EPSS
Exploits0References7Affected Software1
EUVD
EUVD
added 2025/10/07 12:30 a.m.15 views

EUVD-2020-0463

Malware in sbrugna...

9.1CVSS8.5AI score0.01059EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2025/02/05 2:52 p.m.6 views

CVE-2020-15084

In express-jwt NPM package up and including version 5.3.3, the algorithms entry to be specified in the configuration is not being enforced. When algorithms is not specified in the configuration, with the combination of jwks-rsa, it may lead to authorization bypass. You are affected by this...

9.1CVSS6.6AI score0.01059EPSS
Exploits0References4
Veracode
Veracode
added 2020/07/01 6:6 a.m.25 views

Authorization Bypass

express-jwt is vulnerable to authentication bypass. The algorithms entry which are to be specified in the configuration are not enforced and when they are not specified in the configuration, it can lead to authorization bypass when used with jwks-rsa...

9.1CVSS3.4AI score0.01059EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2020/06/30 4:15 p.m.17 views

CVE-2020-15084

In express-jwt NPM package up and including version 5.3.3, the algorithms entry to be specified in the configuration is not being enforced. When algorithms is not specified in the configuration, with the combination of jwks-rsa, it may lead to authorization bypass. You are affected by this...

9.1CVSS9.2AI score
Exploits0References2
Prion
Prion
added 2020/06/30 4:15 p.m.22 views

Authorization

In express-jwt NPM package up and including version 5.3.3, the algorithms entry to be specified in the configuration is not being enforced. When algorithms is not specified in the configuration, with the combination of jwks-rsa, it may lead to authorization bypass. You are affected by this...

4.3CVSS9.2AI score0.01059EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2020/06/30 4:10 p.m.68 views

CVE-2020-15084

CVE-2020-15084 affects express-jwt up to version 5.3.3, where the algorithms configuration is not enforced when using jwks-rsa as the secret, potentially allowing authorization bypass. The issue is resolved in version 6.0.0; remediation is to explicitly configure allowed algorithms (e.g., RS256) ...

9.1CVSS8.4AI score0.01059EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2020/06/30 4:10 p.m.51 views

CVE-2020-15084 Authorization bypass in express-jwt

In express-jwt NPM package up and including version 5.3.3, the algorithms entry to be specified in the configuration is not being enforced. When algorithms is not specified in the configuration, with the combination of jwks-rsa, it may lead to authorization bypass. You are affected by this...

7.7CVSS9.2AI score0.01059EPSS
Exploits0References2
OSV
OSV
added 2020/06/30 4:5 p.m.33 views

GHSA-6G6M-M6H5-W9GF Authorization bypass in express-jwt

Overview Versions before and including 5.3.3, we are not enforcing the algorithms entry to be specified in the configuration. When algorithms is not specified in the configuration, with the combination of jwks-rsa, it may lead to authorization bypass. Am I affected? You are affected by this...

7.7CVSS9.1AI score0.01059EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2020/06/30 4:5 p.m.98 views

Authorization bypass in express-jwt

Overview Versions before and including 5.3.3, we are not enforcing the algorithms entry to be specified in the configuration. When algorithms is not specified in the configuration, with the combination of jwks-rsa, it may lead to authorization bypass. Am I affected? You are affected by this...

9.1CVSS1.6AI score0.01059EPSS
Exploits0References4Affected Software1
Positive Technologies
Positive Technologies
added 2020/06/30 12:0 a.m.5 views

PT-2020-14172

Name of the Vulnerable Software and Affected Versions express-jwt versions 5.3.3 and earlier Description The issue arises when the algorithms entry is not specified in the configuration, potentially leading to authorization bypass when used with libraries like jwks-rsa as the secret. This occurs...

9.1CVSS8AI score0.01059EPSS
Exploits0References7
Rows per page
Query Builder