Description
Versions before and including 1.4.1 are vulnerable to reflected XSS. An attacker can execute arbitrary code by providing an XSS payload in the error query parameter which is then processed by the callback handler as an error message.
Recommendation
Update the @auth0/nextjs-auth0 package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.4.2
- Patched version(s): 1.4.2
References
Related Issues
- Parse Server crashes with query parameter - CVE-2021-39187
- Reflected XSS when using flashMessages or languageDictionary - CVE-2021-32641
- QooxDoo XSS in Callback Parameter - CVE-2011-1714
- Clipboard-based XSS - CVE-2021-41086
- Tags:
- npm
- @auth0/nextjs-auth0
Anything's wrong? Let us know Last updated on February 01, 2023