Skip to content

DOM-based XSS in auth0-lock

Low severity GitHub Reviewed Published Aug 17, 2020 in auth0/lock • Updated Jan 9, 2023

Package

npm auth0-lock (npm)

Affected versions

<= 11.25.1

Patched versions

11.26.3

Description

Overview

Versions before and including 11.25.1 are using dangerouslySetInnerHTML to display an informational message when used with a Passwordless or Enterprise connection.

  • For Passwordless connection, the value of the input (email or phone number) is displayed back to the user while waiting for verification code input.
  • For Enterprise connection, the value of the input (IdP Domain) from the Enterprise connection setup screen (Auth0 Dashboard) is displayed back to the user when the lock widget opens.

When Passwordless or Enterprise connection is used, the application and its users might be exposed to cross-site scripting (XSS) attacks.

Am I affected?

You are affected by this vulnerability if all of the following conditions apply:

  • You are using auth0-lock
  • You are using Passwordless or Enterprise connection mode

How to fix that?

Upgrade to version 11.26.3

Will this update impact my users?

The fix provided in patch will not affect your users.

Credit

https://github.com/mvisat

References

@lzychowski lzychowski published to auth0/lock Aug 17, 2020
Reviewed Aug 19, 2020
Published to the GitHub Advisory Database Aug 19, 2020
Last updated Jan 9, 2023

Severity

Low

EPSS score

0.054%
(24th percentile)

Weaknesses

CVE ID

CVE-2020-15119

GHSA ID

GHSA-6gg3-pmm7-97xc

Source code

No known source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.