Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS03d3c2LTc1ZmotamNqN84AAqwb
Cross-site Scripting in Auth0 Lock
Overview
In versions before and including 11.32.2, when the “additional signup fields” feature is configured, a malicious actor can inject invalidated HTML code into these additional fields, which is then stored in the service user_metdata payload (using the name property).
Verification emails, when applicable, are generated using this metadata. It is therefor possible for an actor to craft a malicious link by injecting HTML, which is then rendered as the recipient's name within the delivered email template.
Am I affected?
You are impacted by this vulnerability if you are using auth0-lock version 11.32.2 or lower and are using the “additional signup fields” feature in your application.
How to fix that?
Upgrade to version 11.33.0.
Will this update impact my users?
Additional signup fields that have been added to the signup tab on Lock will have HTML tags stripped from user input from version 11.33.0 onwards. The user will not receive any validation warning or feedback, but backend data will no longer include HTML.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03d3c2LTc1ZmotamNqN84AAqwb
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: over 1 year ago
CVSS Score: 6.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-7ww6-75fj-jcj7, CVE-2022-29172
References:
- https://github.com/auth0/lock/security/advisories/GHSA-7ww6-75fj-jcj7
- https://nvd.nist.gov/vuln/detail/CVE-2022-29172
- https://github.com/auth0/lock/commit/79ae557d331274b114848150f19832ae341771b1
- https://github.com/advisories/GHSA-7ww6-75fj-jcj7
Blast Radius: 18.6
Affected Packages
npm:auth0-lock
Dependent packages: 87Dependent repositories: 1,132
Downloads: 98,084 last month
Affected Version Ranges: < 11.33.0
Fixed in: 11.33.0
All affected versions: 6.0.0, 6.1.0, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.2.0, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.8, 6.2.9, 6.2.13, 6.2.15, 6.2.16, 6.2.17, 6.2.18, 6.2.19, 6.2.20, 6.2.21, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.4.0, 6.5.0, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.7.0, 6.7.1, 6.8.0, 6.8.1, 6.8.2, 6.8.3, 6.8.4, 6.10.1, 6.10.2, 6.10.3, 6.10.4, 6.10.5, 6.10.6, 6.11.0, 6.12.0, 6.12.1, 7.0.0, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.2.0, 7.3.0, 7.3.1, 7.3.2, 7.4.0, 7.5.0, 7.5.1, 7.5.2, 7.5.3, 7.5.4, 7.5.5, 7.5.6, 7.5.7, 7.6.0, 7.6.1, 7.6.2, 7.7.0, 7.7.1, 7.7.2, 7.7.3, 7.7.4, 7.7.5, 7.7.6, 7.8.0, 7.8.1, 7.9.0, 7.9.1, 7.9.2, 7.9.3, 7.9.4, 7.9.5, 7.10.0, 7.10.1, 7.10.2, 7.10.3, 7.10.4, 7.11.0, 7.11.1, 7.11.2, 7.12.0, 7.12.1, 7.12.2, 7.12.3, 7.12.4, 7.12.5, 7.12.6, 7.13.0, 7.14.0, 7.14.1, 7.14.2, 7.14.3, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.3.0, 8.3.1, 8.3.2, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 10.0.0, 10.0.1, 10.0.2, 10.1.0, 10.2.0, 10.2.1, 10.2.2, 10.2.3, 10.3.0, 10.4.0, 10.4.1, 10.5.0, 10.5.1, 10.6.0, 10.6.1, 10.7.0, 10.7.1, 10.7.2, 10.7.3, 10.8.0, 10.8.1, 10.9.0, 10.9.1, 10.9.2, 10.10.0, 10.10.1, 10.10.2, 10.11.0, 10.12.0, 10.12.1, 10.12.2, 10.12.3, 10.13.0, 10.14.0, 10.15.0, 10.15.1, 10.16.0, 10.17.0, 10.18.0, 10.19.0, 10.20.0, 10.21.0, 10.21.1, 10.22.0, 10.23.0, 10.23.1, 10.24.0, 10.24.1, 10.24.2, 10.24.3, 11.0.0, 11.0.1, 11.1.0, 11.1.1, 11.1.2, 11.1.3, 11.2.0, 11.2.1, 11.2.2, 11.2.3, 11.3.0, 11.3.1, 11.4.0, 11.5.0, 11.5.1, 11.5.2, 11.6.0, 11.6.1, 11.7.0, 11.7.1, 11.7.2, 11.8.0, 11.8.1, 11.9.0, 11.9.1, 11.10.0, 11.11.0, 11.12.0, 11.12.1, 11.13.0, 11.13.1, 11.13.2, 11.14.0, 11.14.1, 11.15.0, 11.16.0, 11.16.1, 11.16.2, 11.16.3, 11.17.0, 11.17.1, 11.17.2, 11.17.3, 11.18.0, 11.18.1, 11.19.0, 11.20.0, 11.20.1, 11.20.2, 11.20.3, 11.20.4, 11.21.0, 11.21.1, 11.22.0, 11.22.1, 11.22.2, 11.22.3, 11.22.4, 11.22.5, 11.23.0, 11.23.1, 11.24.0, 11.24.1, 11.24.2, 11.24.3, 11.24.4, 11.24.5, 11.25.0, 11.25.1, 11.26.0, 11.26.1, 11.26.2, 11.26.3, 11.27.0, 11.27.1, 11.27.2, 11.28.0, 11.28.1, 11.29.0, 11.29.1, 11.30.0, 11.30.1, 11.30.2, 11.30.3, 11.30.4, 11.30.5, 11.30.6, 11.31.0, 11.31.1, 11.32.0, 11.32.1, 11.32.2
All unaffected versions: 11.33.0, 11.33.1, 11.33.2, 11.33.3, 11.34.0, 11.34.1, 11.34.2, 11.35.0, 11.35.1, 12.0.0, 12.0.1, 12.0.2, 12.1.0, 12.2.0, 12.3.0, 12.3.1, 12.4.0, 12.5.0