auth0-lock vulnerable to XSS via unsanitized placeholder property

Severity:: Medium

Description

Auth0 Lock version 11.20.4 and earlier did not properly sanitize the generated HTML code. Customers using the additionalSignUpFields customization option to add a checkbox to the sign-up dialog that are passing a placeholder property obtained from an untrusted source (e.g.

Recommendation

Update the auth0-lock package to the latest compatible version. Followings are version details:

Affected version(s): < 11.21.0
Patched version(s): 11.21.0

References

GHSA-w2pf-g6r8-pg22
auth0.com
CVE-2019-20174
CWE-79
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

DOM-based XSS in auth0-lock - CVE-2020-15119
Parse Server vulnerable to stored XSS via file upload of HTML-renderable file types - CVE-2026-31868
Parse Server vulnerable to LDAP injection via unsanitized user input in DN and group filter construction - CVE-2026-31828
Parse Server vulnerable to stored cross-site scripting (XSS) via SVG file upload - CVE-2026-30948

How to Secure your NodeJs Express Javascript Application - part 1

How do hackers hack websites?

CSRF, XXE, and 12 Other Security Acronyms Explained

Tags:: npm; auth0-lock

Anything's wrong? Let us know Last updated on September 11, 2023