Sideni

**Name of the Vulnerable Software and Affected Versions** xmlseclibs versions prior to 3.1.5 **Description** xmlseclibs is a PHP library used for working with XML Encryption and Signatures. A flaw exists in how XML nodes encrypted with aes-128-gcm, aes-192-gcm, or aes-256-gcm handle authentication tag length validation. Specifically, the length of the authentication tag is not validated during decryption, allowing an attacker to potentially brute-force the tag, recover the GHASH key, and decrypt the encrypted nodes. This also enables the forging of arbitrary ciphertexts without knowledge of the encryption key. The GHASH key is a string of bits used in Galois/Counter Mode (GCM) to ensure the integrity and authenticity of the ciphertext. Exploitation involves manipulating the ciphertext and observing XML parsing errors to recover the key. **Recommendations** Versions prior to 3.1.5 should be updated to version 3.1.5 or later.

**Name of the Vulnerable Software and Affected Versions** xml-security versions prior to 2.3.1 xml-security version 1.13.9 **Description** The library lacks validation of the authentication tag length when decrypting XML nodes encrypted with aes-128-gcm, aes-192-gcm, or aes-256-gcm. This allows an attacker to brute-force an authentication tag, recover the GHASH key, and decrypt the encrypted nodes. It also enables the forging of arbitrary ciphertexts without knowing the encryption key. The GHASH key is a string of bits used in Galois/Counter Mode (GCM) for authentication. If static symmetric keys are used, these keys should be rotated as they may have been compromised. The issue can be exploited by observing XML parsing errors that occur after modifying the ciphertext. **Recommendations** Update to xml-security version 2.3.1 or later. Update to xml-security version 1.13.9 or later.

**Name of the Vulnerable Software and Affected Versions** jwe versions 1.1.0 and below **Description** The authentication tag of encrypted JWEs can be brute forced, potentially leading to a loss of confidentiality and the ability to craft arbitrary JWEs. This allows modification of JWEs to decrypt to an arbitrary value and decryption by observing parsing differences. The GCM internal GHASH key can be recovered. Users are affected even if they do not use an AES-GCM encryption algorithm. **Recommendations** Upgrade to version 1.1.1. Rotate the encryption keys after upgrading to version 1.1.1.

Name of the Vulnerable Software and Affected Versions: Auth0-PHP versions 8.0.0-BETA1 through 8.13.x Description: The issue affects applications using the Auth0-PHP SDK configured with CookieStore, where session cookies have authentication tags that can be brute forced, potentially resulting in unauthorized access. This issue requires specific pre-conditions to be vulnerable: the use of the Auth0-PHP SDK or related SDKs (Auth0/symfony, Auth0/laravel-auth0, and Auth0/wordpress) that rely on the Auth0-PHP SDK, and session storage configured with CookieStore. Recommendations: Upgrade Auth0/Auth0-PHP to v8.14.0 to receive a patch. As an additional precautionary measure, rotate cookie encryption keys. Note that once updated, any previous session cookies will be rejected.