Affected versions of
passport-azure-ad do not recognize the
validateIssuer setting, which allows remote attackers to bypass authentication via a crafted token.
Version 1.x: Update to version 1.4.6 or later. Version 2.x: Update to version 2.0.1 or later.
publishedAdvisory publishedDec 6th, 2016
reportedInitial report by UnknownOct 27th, 2016