Description
Versions before and including 11.30.0 are vulnerable to reflected XSS. An attacker can execute arbitrary code when the library’s
flashMessagefeature is utilized and user input or data from URL parameters is incorporated into theflashMessage.
Recommendation
Update the auth0-lock package to the latest compatible version. Followings are version details:
- Affected version(s): < 11.30.1
- Patched version(s): 11.30.1
References
Related Issues
- @digitalocean/do-markdownit has Type Confusion vulnerability - CVE-2025-59717
- node-opcua-alarm-condition prototype pollution vulnerability - CVE-2024-57086
- Parse Server before v3.4.1 vulnerable to Denial of Service - CVE-2019-1020012
- axios Inefficient Regular Expression Complexity vulnerability - CVE-2021-3749
- Tags:
- npm
- auth0-lock
Anything's wrong? Let us know Last updated on February 01, 2023