Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTZnZzMtcG1tNy05N3hj

DOM-based XSS in auth0-lock

Overview

Versions before and including 11.25.1 are using dangerouslySetInnerHTML to display an informational message when used with a Passwordless or Enterprise connection.

When Passwordless or Enterprise connection is used, the application and its users might be exposed to cross-site scripting (XSS) attacks.

Am I affected?

You are affected by this vulnerability if all of the following conditions apply:

How to fix that?

Upgrade to version 11.26.3

Will this update impact my users?

The fix provided in patch will not affect your users.

Credit

https://github.com/mvisat

Permalink: https://github.com/advisories/GHSA-6gg3-pmm7-97xc
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTZnZzMtcG1tNy05N3hj
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: over 3 years ago
Updated: over 1 year ago


CVSS Score: 6.4
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N

Identifiers: GHSA-6gg3-pmm7-97xc, CVE-2020-15119
References: Repository: https://github.com/auth0/lock
Blast Radius: 19.5

Affected Packages

npm:auth0-lock
Dependent packages: 87
Dependent repositories: 1,132
Downloads: 98,084 last month
Affected Version Ranges: <= 11.25.1
Fixed in: 11.26.3
All affected versions: 6.0.0, 6.1.0, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.2.0, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.8, 6.2.9, 6.2.13, 6.2.15, 6.2.16, 6.2.17, 6.2.18, 6.2.19, 6.2.20, 6.2.21, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.4.0, 6.5.0, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.7.0, 6.7.1, 6.8.0, 6.8.1, 6.8.2, 6.8.3, 6.8.4, 6.10.1, 6.10.2, 6.10.3, 6.10.4, 6.10.5, 6.10.6, 6.11.0, 6.12.0, 6.12.1, 7.0.0, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.2.0, 7.3.0, 7.3.1, 7.3.2, 7.4.0, 7.5.0, 7.5.1, 7.5.2, 7.5.3, 7.5.4, 7.5.5, 7.5.6, 7.5.7, 7.6.0, 7.6.1, 7.6.2, 7.7.0, 7.7.1, 7.7.2, 7.7.3, 7.7.4, 7.7.5, 7.7.6, 7.8.0, 7.8.1, 7.9.0, 7.9.1, 7.9.2, 7.9.3, 7.9.4, 7.9.5, 7.10.0, 7.10.1, 7.10.2, 7.10.3, 7.10.4, 7.11.0, 7.11.1, 7.11.2, 7.12.0, 7.12.1, 7.12.2, 7.12.3, 7.12.4, 7.12.5, 7.12.6, 7.13.0, 7.14.0, 7.14.1, 7.14.2, 7.14.3, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.3.0, 8.3.1, 8.3.2, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 10.0.0, 10.0.1, 10.0.2, 10.1.0, 10.2.0, 10.2.1, 10.2.2, 10.2.3, 10.3.0, 10.4.0, 10.4.1, 10.5.0, 10.5.1, 10.6.0, 10.6.1, 10.7.0, 10.7.1, 10.7.2, 10.7.3, 10.8.0, 10.8.1, 10.9.0, 10.9.1, 10.9.2, 10.10.0, 10.10.1, 10.10.2, 10.11.0, 10.12.0, 10.12.1, 10.12.2, 10.12.3, 10.13.0, 10.14.0, 10.15.0, 10.15.1, 10.16.0, 10.17.0, 10.18.0, 10.19.0, 10.20.0, 10.21.0, 10.21.1, 10.22.0, 10.23.0, 10.23.1, 10.24.0, 10.24.1, 10.24.2, 10.24.3, 11.0.0, 11.0.1, 11.1.0, 11.1.1, 11.1.2, 11.1.3, 11.2.0, 11.2.1, 11.2.2, 11.2.3, 11.3.0, 11.3.1, 11.4.0, 11.5.0, 11.5.1, 11.5.2, 11.6.0, 11.6.1, 11.7.0, 11.7.1, 11.7.2, 11.8.0, 11.8.1, 11.9.0, 11.9.1, 11.10.0, 11.11.0, 11.12.0, 11.12.1, 11.13.0, 11.13.1, 11.13.2, 11.14.0, 11.14.1, 11.15.0, 11.16.0, 11.16.1, 11.16.2, 11.16.3, 11.17.0, 11.17.1, 11.17.2, 11.17.3, 11.18.0, 11.18.1, 11.19.0, 11.20.0, 11.20.1, 11.20.2, 11.20.3, 11.20.4, 11.21.0, 11.21.1, 11.22.0, 11.22.1, 11.22.2, 11.22.3, 11.22.4, 11.22.5, 11.23.0, 11.23.1, 11.24.0, 11.24.1, 11.24.2, 11.24.3, 11.24.4, 11.24.5, 11.25.0, 11.25.1
All unaffected versions: 11.26.0, 11.26.1, 11.26.2, 11.26.3, 11.27.0, 11.27.1, 11.27.2, 11.28.0, 11.28.1, 11.29.0, 11.29.1, 11.30.0, 11.30.1, 11.30.2, 11.30.3, 11.30.4, 11.30.5, 11.30.6, 11.31.0, 11.31.1, 11.32.0, 11.32.1, 11.32.2, 11.33.0, 11.33.1, 11.33.2, 11.33.3, 11.34.0, 11.34.1, 11.34.2, 11.35.0, 11.35.1, 12.0.0, 12.0.1, 12.0.2, 12.1.0, 12.2.0, 12.3.0, 12.3.1, 12.4.0, 12.5.0