CVE-2021-32641
8.1
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
auth0-lock is Auth0's signin solution. Versions of nauth0-lock before and including 11.30.0 are vulnerable to reflected XSS. An attacker can execute arbitrary code when the library's flashMessage feature is utilized and user input or data from URL parameters is incorporated into the flashMessage or the library's languageDictionary feature is utilized and user input or data from URL parameters is incorporated into the languageDictionary. The vulnerability is patched in version 11.30.1.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| auth0 | lock | <= 11.30.0 | affected |
Weaknesses
- CWE-79: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/auth0/lock/security/advisories/GHSA-jr3j-whm4-9wwm
- https://github.com/auth0/lock/commit/d139cf01c8234b07caf265e051f39d3eab08f7ed
- https://github.com/auth0/lock/releases/tag/v11.30.1
References
- https://github.com/auth0/lock/security/advisories/GHSA-jr3j-whm4-9wwm
- https://github.com/auth0/lock/commit/d139cf01c8234b07caf265e051f39d3eab08f7ed
- https://github.com/auth0/lock/releases/tag/v11.30.1
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.