Gkwang

**Name of the Vulnerable Software and Affected Versions** Passport-wsfed-saml2 versions prior to 4.6.3 **Description** A remote attacker may be able to bypass WSFed authentication on a website using passport-wsfed-saml2. A successful attack requires that the attacker is in possession of an arbitrary IDP signed assertion. Depending on the IDP used, fully unauthenticated attacks might also be feasible if generation of a signed message can be triggered. **Recommendations** Upgrade the library to version 4.6.3. As a temporary workaround, consider using SAML2 authentication instead of WSFed until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** ad-ldap-connector versions prior to 5.0.13 **Description** The issue concerns a lack of CSRF protection in the admin panel, which can be exploited to achieve remote code execution or result in confidential data loss. This can occur when a user visits a malicious page with a CSRF payload on the same machine that has access to the admin console via a browser. **Recommendations** For versions prior to 5.0.13, update to version 5.0.13 to resolve the issue. As a temporary workaround, consider disabling the admin console until the update is applied. Additionally, avoid visiting public URLs on the machine where the admin console is installed to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** express-jwt versions 5.3.3 and earlier **Description** The issue arises when the `algorithms` entry is not specified in the configuration, potentially leading to authorization bypass when used with libraries like `jwks-rsa` as the `secret`. This occurs because the `algorithms` entry is not being enforced in versions up to and including 5.3.3. To be affected, one must be using `express-jwt`, not have `algorithms` configured, and use libraries such as `jwks-rsa` as the `secret`. **Recommendations** For express-jwt versions 5.3.3 and earlier, specify `algorithms` in the express-jwt configuration to fix the issue. For example, configure `algorithms` as `['RS256']` to restrict allowed algorithms. This change will not impact users if `algorithms` was already specified, as the patch makes `algorithms` a required configuration.