CVE-2022-29172
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Auth0 is an authentication broker that supports both social and enterprise identity providers, including Active Directory, LDAP, Google Apps, and Salesforce. In versions before 11.33.0, when the “additional signup fields” feature is configured, a malicious actor can inject invalidated HTML code into these additional fields, which is then stored in the service user_metdata payload (using the name property). Verification emails, when applicable, are generated using this metadata. It is therefor possible for an actor to craft a malicious link by injecting HTML, which is then rendered as the recipient's name within the delivered email template. You are impacted by this vulnerability if you are using auth0-lock version 11.32.2 or lower and are using the “additional signup fields” feature in your application. Upgrade to version 11.33.0.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| auth0 | lock | < 11.33.0 | affected |
Weaknesses
- CWE-79: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/auth0/lock/security/advisories/GHSA-7ww6-75fj-jcj7
- https://github.com/auth0/lock/commit/79ae557d331274b114848150f19832ae341771b1
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://github.com/auth0/lock/security/advisories/GHSA-7ww6-75fj-jcj7
- https://github.com/auth0/lock/commit/79ae557d331274b114848150f19832ae341771b1
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.