Vendor
The Auth0.js SDK versions 8.11.0 to 9.32.0 improperly returns user profile information when provided a crafted invalid ID token, potentially bypassing access controls relying on Auth0 Actions.