12 matches found
BIT-PARSE-2026-27804 Parse Server: Account takeover via JWT algorithm confusion in Google auth adapter
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.3 and 9.3.1, an unauthenticated attacker can forge a Google authentication token with alg: "none" to log in as any user linked to a Google account, without knowing their...
Parse Server: Account takeover via JWT algorithm confusion in Google auth adapter
Impact An unauthenticated attacker can forge a Google authentication token with alg: "none" to log in as any user linked to a Google account, without knowing their credentials. All deployments with Google authentication enabled are affected. Patches The fix hardcodes the expected RS256 algorithm...
EUVD-2020-0463
Malware in sbrugna...
CVE-2020-15084
In express-jwt NPM package up and including version 5.3.3, the algorithms entry to be specified in the configuration is not being enforced. When algorithms is not specified in the configuration, with the combination of jwks-rsa, it may lead to authorization bypass. You are affected by this...
Authorization Bypass
express-jwt is vulnerable to authentication bypass. The algorithms entry which are to be specified in the configuration are not enforced and when they are not specified in the configuration, it can lead to authorization bypass when used with jwks-rsa...
CVE-2020-15084
In express-jwt NPM package up and including version 5.3.3, the algorithms entry to be specified in the configuration is not being enforced. When algorithms is not specified in the configuration, with the combination of jwks-rsa, it may lead to authorization bypass. You are affected by this...
Authorization
In express-jwt NPM package up and including version 5.3.3, the algorithms entry to be specified in the configuration is not being enforced. When algorithms is not specified in the configuration, with the combination of jwks-rsa, it may lead to authorization bypass. You are affected by this...
CVE-2020-15084
CVE-2020-15084 affects express-jwt up to version 5.3.3, where the algorithms configuration is not enforced when using jwks-rsa as the secret, potentially allowing authorization bypass. The issue is resolved in version 6.0.0; remediation is to explicitly configure allowed algorithms (e.g., RS256) ...
CVE-2020-15084 Authorization bypass in express-jwt
In express-jwt NPM package up and including version 5.3.3, the algorithms entry to be specified in the configuration is not being enforced. When algorithms is not specified in the configuration, with the combination of jwks-rsa, it may lead to authorization bypass. You are affected by this...
GHSA-6G6M-M6H5-W9GF Authorization bypass in express-jwt
Overview Versions before and including 5.3.3, we are not enforcing the algorithms entry to be specified in the configuration. When algorithms is not specified in the configuration, with the combination of jwks-rsa, it may lead to authorization bypass. Am I affected? You are affected by this...
Authorization bypass in express-jwt
Overview Versions before and including 5.3.3, we are not enforcing the algorithms entry to be specified in the configuration. When algorithms is not specified in the configuration, with the combination of jwks-rsa, it may lead to authorization bypass. Am I affected? You are affected by this...
PT-2020-14172
Name of the Vulnerable Software and Affected Versions express-jwt versions 5.3.3 and earlier Description The issue arises when the algorithms entry is not specified in the configuration, potentially leading to authorization bypass when used with libraries like jwks-rsa as the secret. This occurs...