Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTZnZzMtcG1tNy05N3hj
DOM-based XSS in auth0-lock
Overview
Versions before and including 11.25.1 are using dangerouslySetInnerHTML to display an informational message when used with a Passwordless or Enterprise connection.
- For Passwordless connection, the value of the input (email or phone number) is displayed back to the user while waiting for verification code input.
- For Enterprise connection, the value of the input (IdP Domain) from the Enterprise connection setup screen (Auth0 Dashboard) is displayed back to the user when the
lockwidget opens.
When Passwordless or Enterprise connection is used, the application and its users might be exposed to cross-site scripting (XSS) attacks.
Am I affected?
You are affected by this vulnerability if all of the following conditions apply:
- You are using auth0-lock
- You are using Passwordless or Enterprise connection mode
How to fix that?
Upgrade to version 11.26.3
Will this update impact my users?
The fix provided in patch will not affect your users.
Credit
Permalink: https://github.com/advisories/GHSA-6gg3-pmm7-97xcJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTZnZzMtcG1tNy05N3hj
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: over 4 years ago
Updated: about 2 years ago
CVSS Score: 6.4
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
EPSS Percentage: 0.0005
EPSS Percentile: 0.21514
Identifiers: GHSA-6gg3-pmm7-97xc, CVE-2020-15119
References:
- https://github.com/auth0/lock/security/advisories/GHSA-6gg3-pmm7-97xc
- https://github.com/auth0/lock/commit/3711fb5b42afd40073a61a58759251f51e768b1b
- https://nvd.nist.gov/vuln/detail/CVE-2020-15119
- https://github.com/advisories/GHSA-6gg3-pmm7-97xc
Blast Radius: 19.5
Affected Packages
npm:auth0-lock
Dependent packages: 88Dependent repositories: 1,132
Downloads: 78,036 last month
Affected Version Ranges: <= 11.25.1
Fixed in: 11.26.3
All affected versions: 6.0.0, 6.1.0, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.2.0, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.8, 6.2.9, 6.2.13, 6.2.15, 6.2.16, 6.2.17, 6.2.18, 6.2.19, 6.2.20, 6.2.21, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.4.0, 6.5.0, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.7.0, 6.7.1, 6.8.0, 6.8.1, 6.8.2, 6.8.3, 6.8.4, 6.10.1, 6.10.2, 6.10.3, 6.10.4, 6.10.5, 6.10.6, 6.11.0, 6.12.0, 6.12.1, 7.0.0, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.2.0, 7.3.0, 7.3.1, 7.3.2, 7.4.0, 7.5.0, 7.5.1, 7.5.2, 7.5.3, 7.5.4, 7.5.5, 7.5.6, 7.5.7, 7.6.0, 7.6.1, 7.6.2, 7.7.0, 7.7.1, 7.7.2, 7.7.3, 7.7.4, 7.7.5, 7.7.6, 7.8.0, 7.8.1, 7.9.0, 7.9.1, 7.9.2, 7.9.3, 7.9.4, 7.9.5, 7.10.0, 7.10.1, 7.10.2, 7.10.3, 7.10.4, 7.11.0, 7.11.1, 7.11.2, 7.12.0, 7.12.1, 7.12.2, 7.12.3, 7.12.4, 7.12.5, 7.12.6, 7.13.0, 7.14.0, 7.14.1, 7.14.2, 7.14.3, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.3.0, 8.3.1, 8.3.2, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 10.0.0, 10.0.1, 10.0.2, 10.1.0, 10.2.0, 10.2.1, 10.2.2, 10.2.3, 10.3.0, 10.4.0, 10.4.1, 10.5.0, 10.5.1, 10.6.0, 10.6.1, 10.7.0, 10.7.1, 10.7.2, 10.7.3, 10.8.0, 10.8.1, 10.9.0, 10.9.1, 10.9.2, 10.10.0, 10.10.1, 10.10.2, 10.11.0, 10.12.0, 10.12.1, 10.12.2, 10.12.3, 10.13.0, 10.14.0, 10.15.0, 10.15.1, 10.16.0, 10.17.0, 10.18.0, 10.19.0, 10.20.0, 10.21.0, 10.21.1, 10.22.0, 10.23.0, 10.23.1, 10.24.0, 10.24.1, 10.24.2, 10.24.3, 11.0.0, 11.0.1, 11.1.0, 11.1.1, 11.1.2, 11.1.3, 11.2.0, 11.2.1, 11.2.2, 11.2.3, 11.3.0, 11.3.1, 11.4.0, 11.5.0, 11.5.1, 11.5.2, 11.6.0, 11.6.1, 11.7.0, 11.7.1, 11.7.2, 11.8.0, 11.8.1, 11.9.0, 11.9.1, 11.10.0, 11.11.0, 11.12.0, 11.12.1, 11.13.0, 11.13.1, 11.13.2, 11.14.0, 11.14.1, 11.15.0, 11.16.0, 11.16.1, 11.16.2, 11.16.3, 11.17.0, 11.17.1, 11.17.2, 11.17.3, 11.18.0, 11.18.1, 11.19.0, 11.20.0, 11.20.1, 11.20.2, 11.20.3, 11.20.4, 11.21.0, 11.21.1, 11.22.0, 11.22.1, 11.22.2, 11.22.3, 11.22.4, 11.22.5, 11.23.0, 11.23.1, 11.24.0, 11.24.1, 11.24.2, 11.24.3, 11.24.4, 11.24.5, 11.25.0, 11.25.1
All unaffected versions: 11.26.0, 11.26.1, 11.26.2, 11.26.3, 11.27.0, 11.27.1, 11.27.2, 11.28.0, 11.28.1, 11.29.0, 11.29.1, 11.30.0, 11.30.1, 11.30.2, 11.30.3, 11.30.4, 11.30.5, 11.30.6, 11.31.0, 11.31.1, 11.32.0, 11.32.1, 11.32.2, 11.33.0, 11.33.1, 11.33.2, 11.33.3, 11.34.0, 11.34.1, 11.34.2, 11.35.0, 11.35.1, 12.0.0, 12.0.1, 12.0.2, 12.1.0, 12.2.0, 12.3.0, 12.3.1, 12.4.0, 12.5.0, 12.5.1, 13.0.0