Affected versions of passport-azure-ad
do not recognize the validateIssuer
setting, which allows remote attackers to bypass authentication via a crafted token.
Version 1.x: Update to version 1.4.6 or later.
Version 2.x: Update to version 2.0.1 or later.