[MEDIUM] JWSVerifier uses algorithm from unprotected header, enabling algorithm confusion attacks

PKSA-ztxk-m2k2-bkgv GHSA-5739-39v2-5754

Affected package: web-token/jwt-framework

Affected version: <3.4.10|>=4.0.0,<4.0.7|>=4.1.0,<4.1.7

Reported by:
GitHub, FriendsOfPHP/security-advisories