@strapi/plugin-users-permissions is vulnerable to Authentication Bypass. When using the AWS Cognito
login provider for authentication, the library doesn’t check access or ID tokens generated throughout the OAuth
flow. A remote attacker might impersonate any user using AWS Cognito
by fabricating an ID token signed using the None
type algorithm, bypassing authentication.