Description
Auth0 Lock version 11.20.4 and earlier did not properly sanitize the generated HTML code. Customers using the additionalSignUpFields customization option to add a checkbox to the sign-up dialog that are passing a placeholder property obtained from an untrusted source (e.g.
Recommendation
Update the auth0-lock package to the latest compatible version. Followings are version details:
- Affected version(s): < 11.21.0
- Patched version(s): 11.21.0
References
Related Issues
- Axios is vulnerable to DoS attack through lack of data size check - CVE-2025-58754
- Parse Server's custom object ID allows to acquire role privileges - CVE-2024-47183
- XSS in jQuery as used in Drupal, Backdrop CMS, and other products - CVE-2019-11358
- Bootstrap Vulnerable to Cross-Site Scripting (GHSA-9v3m-8fp8-mj99) - CVE-2019-8331
- Tags:
- npm
- auth0-lock
Anything's wrong? Let us know Last updated on September 11, 2023