Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
8 vulnerabilities found for lock by auth0
CVE-2022-29172 (GCVE-0-2022-29172)
Vulnerability from nvd – Published: 2022-05-05 22:50 – Updated: 2025-04-23 18:30
VLAI
Title
HTML injection with additional signup fields
Summary
Auth0 is an authentication broker that supports both social and enterprise identity providers, including Active Directory, LDAP, Google Apps, and Salesforce. In versions before `11.33.0`, when the “additional signup fields” feature [is configured](https://github.com/auth0/lock#additional-sign-up-fields), a malicious actor can inject invalidated HTML code into these additional fields, which is then stored in the service `user_metdata` payload (using the `name` property). Verification emails, when applicable, are generated using this metadata. It is therefor possible for an actor to craft a malicious link by injecting HTML, which is then rendered as the recipient's name within the delivered email template. You are impacted by this vulnerability if you are using `auth0-lock` version `11.32.2` or lower and are using the “additional signup fields” feature in your application. Upgrade to version `11.33.0`.
Severity
6.1 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/auth0/lock/security/advisories… | x_refsource_CONFIRM |
| https://github.com/auth0/lock/commit/79ae557d3312… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:17:53.986Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/auth0/lock/security/advisories/GHSA-7ww6-75fj-jcj7"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/auth0/lock/commit/79ae557d331274b114848150f19832ae341771b1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-29172",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T14:07:48.610285Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T18:30:53.070Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "lock",
"vendor": "auth0",
"versions": [
{
"status": "affected",
"version": "\u003c 11.33.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Auth0 is an authentication broker that supports both social and enterprise identity providers, including Active Directory, LDAP, Google Apps, and Salesforce. In versions before `11.33.0`, when the \u201cadditional signup fields\u201d feature [is configured](https://github.com/auth0/lock#additional-sign-up-fields), a malicious actor can inject invalidated HTML code into these additional fields, which is then stored in the service `user_metdata` payload (using the `name` property). Verification emails, when applicable, are generated using this metadata. It is therefor possible for an actor to craft a malicious link by injecting HTML, which is then rendered as the recipient\u0027s name within the delivered email template. You are impacted by this vulnerability if you are using `auth0-lock` version `11.32.2` or lower and are using the \u201cadditional signup fields\u201d feature in your application. Upgrade to version `11.33.0`."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-05T22:50:09.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/auth0/lock/security/advisories/GHSA-7ww6-75fj-jcj7"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/auth0/lock/commit/79ae557d331274b114848150f19832ae341771b1"
}
],
"source": {
"advisory": "GHSA-7ww6-75fj-jcj7",
"discovery": "UNKNOWN"
},
"title": "HTML injection with additional signup fields",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-29172",
"STATE": "PUBLIC",
"TITLE": "HTML injection with additional signup fields"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "lock",
"version": {
"version_data": [
{
"version_value": "\u003c 11.33.0"
}
]
}
}
]
},
"vendor_name": "auth0"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Auth0 is an authentication broker that supports both social and enterprise identity providers, including Active Directory, LDAP, Google Apps, and Salesforce. In versions before `11.33.0`, when the \u201cadditional signup fields\u201d feature [is configured](https://github.com/auth0/lock#additional-sign-up-fields), a malicious actor can inject invalidated HTML code into these additional fields, which is then stored in the service `user_metdata` payload (using the `name` property). Verification emails, when applicable, are generated using this metadata. It is therefor possible for an actor to craft a malicious link by injecting HTML, which is then rendered as the recipient\u0027s name within the delivered email template. You are impacted by this vulnerability if you are using `auth0-lock` version `11.32.2` or lower and are using the \u201cadditional signup fields\u201d feature in your application. Upgrade to version `11.33.0`."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/auth0/lock/security/advisories/GHSA-7ww6-75fj-jcj7",
"refsource": "CONFIRM",
"url": "https://github.com/auth0/lock/security/advisories/GHSA-7ww6-75fj-jcj7"
},
{
"name": "https://github.com/auth0/lock/commit/79ae557d331274b114848150f19832ae341771b1",
"refsource": "MISC",
"url": "https://github.com/auth0/lock/commit/79ae557d331274b114848150f19832ae341771b1"
}
]
},
"source": {
"advisory": "GHSA-7ww6-75fj-jcj7",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-29172",
"datePublished": "2022-05-05T22:50:09.000Z",
"dateReserved": "2022-04-13T00:00:00.000Z",
"dateUpdated": "2025-04-23T18:30:53.070Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-32641 (GCVE-0-2021-32641)
Vulnerability from nvd – Published: 2021-06-04 21:10 – Updated: 2024-08-03 23:25
VLAI
Title
Reflected XSS when using flashMessages
Summary
auth0-lock is Auth0's signin solution. Versions of nauth0-lock before and including `11.30.0` are vulnerable to reflected XSS. An attacker can execute arbitrary code when the library's `flashMessage` feature is utilized and user input or data from URL parameters is incorporated into the `flashMessage` or the library's `languageDictionary` feature is utilized and user input or data from URL parameters is incorporated into the `languageDictionary`. The vulnerability is patched in version 11.30.1.
Severity
8.1 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/auth0/lock/security/advisories… | x_refsource_CONFIRM |
| https://github.com/auth0/lock/commit/d139cf01c823… | x_refsource_MISC |
| https://github.com/auth0/lock/releases/tag/v11.30.1 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:25:31.021Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/auth0/lock/security/advisories/GHSA-jr3j-whm4-9wwm"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/auth0/lock/commit/d139cf01c8234b07caf265e051f39d3eab08f7ed"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/auth0/lock/releases/tag/v11.30.1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "lock",
"vendor": "auth0",
"versions": [
{
"status": "affected",
"version": "\u003c= 11.30.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "auth0-lock is Auth0\u0027s signin solution. Versions of nauth0-lock before and including `11.30.0` are vulnerable to reflected XSS. An attacker can execute arbitrary code when the library\u0027s `flashMessage` feature is utilized and user input or data from URL parameters is incorporated into the `flashMessage` or the library\u0027s `languageDictionary` feature is utilized and user input or data from URL parameters is incorporated into the `languageDictionary`. The vulnerability is patched in version 11.30.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-04T21:10:11.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/auth0/lock/security/advisories/GHSA-jr3j-whm4-9wwm"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/auth0/lock/commit/d139cf01c8234b07caf265e051f39d3eab08f7ed"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/auth0/lock/releases/tag/v11.30.1"
}
],
"source": {
"advisory": "GHSA-jr3j-whm4-9wwm",
"discovery": "UNKNOWN"
},
"title": "Reflected XSS when using flashMessages",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-32641",
"STATE": "PUBLIC",
"TITLE": "Reflected XSS when using flashMessages"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "lock",
"version": {
"version_data": [
{
"version_value": "\u003c= 11.30.0"
}
]
}
}
]
},
"vendor_name": "auth0"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "auth0-lock is Auth0\u0027s signin solution. Versions of nauth0-lock before and including `11.30.0` are vulnerable to reflected XSS. An attacker can execute arbitrary code when the library\u0027s `flashMessage` feature is utilized and user input or data from URL parameters is incorporated into the `flashMessage` or the library\u0027s `languageDictionary` feature is utilized and user input or data from URL parameters is incorporated into the `languageDictionary`. The vulnerability is patched in version 11.30.1."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/auth0/lock/security/advisories/GHSA-jr3j-whm4-9wwm",
"refsource": "CONFIRM",
"url": "https://github.com/auth0/lock/security/advisories/GHSA-jr3j-whm4-9wwm"
},
{
"name": "https://github.com/auth0/lock/commit/d139cf01c8234b07caf265e051f39d3eab08f7ed",
"refsource": "MISC",
"url": "https://github.com/auth0/lock/commit/d139cf01c8234b07caf265e051f39d3eab08f7ed"
},
{
"name": "https://github.com/auth0/lock/releases/tag/v11.30.1",
"refsource": "MISC",
"url": "https://github.com/auth0/lock/releases/tag/v11.30.1"
}
]
},
"source": {
"advisory": "GHSA-jr3j-whm4-9wwm",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-32641",
"datePublished": "2021-06-04T21:10:11.000Z",
"dateReserved": "2021-05-12T00:00:00.000Z",
"dateUpdated": "2024-08-03T23:25:31.021Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-15119 (GCVE-0-2020-15119)
Vulnerability from nvd – Published: 2020-08-19 21:20 – Updated: 2024-08-04 13:08
VLAI
Title
DOM-based XSS in auth0-lock
Summary
In auth0-lock versions before and including 11.25.1, dangerouslySetInnerHTML is used to update the DOM. When dangerouslySetInnerHTML is used, the application and its users might be exposed to cross-site scripting (XSS) attacks.
Severity
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/auth0/lock/security/advisories… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:08:21.963Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/auth0/lock/security/advisories/GHSA-6gg3-pmm7-97xc"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "lock",
"vendor": "auth0",
"versions": [
{
"status": "affected",
"version": "\u003c= 11.25.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In auth0-lock versions before and including 11.25.1, dangerouslySetInnerHTML is used to update the DOM. When dangerouslySetInnerHTML is used, the application and its users might be exposed to cross-site scripting (XSS) attacks."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-08-19T21:20:11.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/auth0/lock/security/advisories/GHSA-6gg3-pmm7-97xc"
}
],
"source": {
"advisory": "GHSA-6gg3-pmm7-97xc",
"discovery": "UNKNOWN"
},
"title": "DOM-based XSS in auth0-lock",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-15119",
"STATE": "PUBLIC",
"TITLE": "DOM-based XSS in auth0-lock"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "lock",
"version": {
"version_data": [
{
"version_value": "\u003c= 11.25.1"
}
]
}
}
]
},
"vendor_name": "auth0"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In auth0-lock versions before and including 11.25.1, dangerouslySetInnerHTML is used to update the DOM. When dangerouslySetInnerHTML is used, the application and its users might be exposed to cross-site scripting (XSS) attacks."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/auth0/lock/security/advisories/GHSA-6gg3-pmm7-97xc",
"refsource": "CONFIRM",
"url": "https://github.com/auth0/lock/security/advisories/GHSA-6gg3-pmm7-97xc"
}
]
},
"source": {
"advisory": "GHSA-6gg3-pmm7-97xc",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-15119",
"datePublished": "2020-08-19T21:20:11.000Z",
"dateReserved": "2020-06-25T00:00:00.000Z",
"dateUpdated": "2024-08-04T13:08:21.963Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-20174 (GCVE-0-2019-20174)
Vulnerability from nvd – Published: 2020-02-03 17:13 – Updated: 2024-08-05 02:39
VLAI
Summary
Auth0 Lock before 11.21.0 allows XSS when additionalSignUpFields is used with an untrusted placeholder.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/auth0/lock/releases/tag/v11.21.0 | x_refsource_MISC |
| https://auth0.com/docs/security/bulletins/cve-201… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:39:09.109Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/auth0/lock/releases/tag/v11.21.0"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://auth0.com/docs/security/bulletins/cve-2019-20174"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Auth0 Lock before 11.21.0 allows XSS when additionalSignUpFields is used with an untrusted placeholder."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-02-03T17:13:42.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/auth0/lock/releases/tag/v11.21.0"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://auth0.com/docs/security/bulletins/cve-2019-20174"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-20174",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Auth0 Lock before 11.21.0 allows XSS when additionalSignUpFields is used with an untrusted placeholder."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/auth0/lock/releases/tag/v11.21.0",
"refsource": "MISC",
"url": "https://github.com/auth0/lock/releases/tag/v11.21.0"
},
{
"name": "https://auth0.com/docs/security/bulletins/cve-2019-20174",
"refsource": "CONFIRM",
"url": "https://auth0.com/docs/security/bulletins/cve-2019-20174"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-20174",
"datePublished": "2020-02-03T17:13:42.000Z",
"dateReserved": "2019-12-31T00:00:00.000Z",
"dateUpdated": "2024-08-05T02:39:09.109Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-29172 (GCVE-0-2022-29172)
Vulnerability from cvelistv5 – Published: 2022-05-05 22:50 – Updated: 2025-04-23 18:30
VLAI
Title
HTML injection with additional signup fields
Summary
Auth0 is an authentication broker that supports both social and enterprise identity providers, including Active Directory, LDAP, Google Apps, and Salesforce. In versions before `11.33.0`, when the “additional signup fields” feature [is configured](https://github.com/auth0/lock#additional-sign-up-fields), a malicious actor can inject invalidated HTML code into these additional fields, which is then stored in the service `user_metdata` payload (using the `name` property). Verification emails, when applicable, are generated using this metadata. It is therefor possible for an actor to craft a malicious link by injecting HTML, which is then rendered as the recipient's name within the delivered email template. You are impacted by this vulnerability if you are using `auth0-lock` version `11.32.2` or lower and are using the “additional signup fields” feature in your application. Upgrade to version `11.33.0`.
Severity
6.1 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/auth0/lock/security/advisories… | x_refsource_CONFIRM |
| https://github.com/auth0/lock/commit/79ae557d3312… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:17:53.986Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/auth0/lock/security/advisories/GHSA-7ww6-75fj-jcj7"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/auth0/lock/commit/79ae557d331274b114848150f19832ae341771b1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-29172",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T14:07:48.610285Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T18:30:53.070Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "lock",
"vendor": "auth0",
"versions": [
{
"status": "affected",
"version": "\u003c 11.33.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Auth0 is an authentication broker that supports both social and enterprise identity providers, including Active Directory, LDAP, Google Apps, and Salesforce. In versions before `11.33.0`, when the \u201cadditional signup fields\u201d feature [is configured](https://github.com/auth0/lock#additional-sign-up-fields), a malicious actor can inject invalidated HTML code into these additional fields, which is then stored in the service `user_metdata` payload (using the `name` property). Verification emails, when applicable, are generated using this metadata. It is therefor possible for an actor to craft a malicious link by injecting HTML, which is then rendered as the recipient\u0027s name within the delivered email template. You are impacted by this vulnerability if you are using `auth0-lock` version `11.32.2` or lower and are using the \u201cadditional signup fields\u201d feature in your application. Upgrade to version `11.33.0`."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-05T22:50:09.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/auth0/lock/security/advisories/GHSA-7ww6-75fj-jcj7"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/auth0/lock/commit/79ae557d331274b114848150f19832ae341771b1"
}
],
"source": {
"advisory": "GHSA-7ww6-75fj-jcj7",
"discovery": "UNKNOWN"
},
"title": "HTML injection with additional signup fields",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-29172",
"STATE": "PUBLIC",
"TITLE": "HTML injection with additional signup fields"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "lock",
"version": {
"version_data": [
{
"version_value": "\u003c 11.33.0"
}
]
}
}
]
},
"vendor_name": "auth0"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Auth0 is an authentication broker that supports both social and enterprise identity providers, including Active Directory, LDAP, Google Apps, and Salesforce. In versions before `11.33.0`, when the \u201cadditional signup fields\u201d feature [is configured](https://github.com/auth0/lock#additional-sign-up-fields), a malicious actor can inject invalidated HTML code into these additional fields, which is then stored in the service `user_metdata` payload (using the `name` property). Verification emails, when applicable, are generated using this metadata. It is therefor possible for an actor to craft a malicious link by injecting HTML, which is then rendered as the recipient\u0027s name within the delivered email template. You are impacted by this vulnerability if you are using `auth0-lock` version `11.32.2` or lower and are using the \u201cadditional signup fields\u201d feature in your application. Upgrade to version `11.33.0`."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/auth0/lock/security/advisories/GHSA-7ww6-75fj-jcj7",
"refsource": "CONFIRM",
"url": "https://github.com/auth0/lock/security/advisories/GHSA-7ww6-75fj-jcj7"
},
{
"name": "https://github.com/auth0/lock/commit/79ae557d331274b114848150f19832ae341771b1",
"refsource": "MISC",
"url": "https://github.com/auth0/lock/commit/79ae557d331274b114848150f19832ae341771b1"
}
]
},
"source": {
"advisory": "GHSA-7ww6-75fj-jcj7",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-29172",
"datePublished": "2022-05-05T22:50:09.000Z",
"dateReserved": "2022-04-13T00:00:00.000Z",
"dateUpdated": "2025-04-23T18:30:53.070Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-32641 (GCVE-0-2021-32641)
Vulnerability from cvelistv5 – Published: 2021-06-04 21:10 – Updated: 2024-08-03 23:25
VLAI
Title
Reflected XSS when using flashMessages
Summary
auth0-lock is Auth0's signin solution. Versions of nauth0-lock before and including `11.30.0` are vulnerable to reflected XSS. An attacker can execute arbitrary code when the library's `flashMessage` feature is utilized and user input or data from URL parameters is incorporated into the `flashMessage` or the library's `languageDictionary` feature is utilized and user input or data from URL parameters is incorporated into the `languageDictionary`. The vulnerability is patched in version 11.30.1.
Severity
8.1 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/auth0/lock/security/advisories… | x_refsource_CONFIRM |
| https://github.com/auth0/lock/commit/d139cf01c823… | x_refsource_MISC |
| https://github.com/auth0/lock/releases/tag/v11.30.1 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:25:31.021Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/auth0/lock/security/advisories/GHSA-jr3j-whm4-9wwm"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/auth0/lock/commit/d139cf01c8234b07caf265e051f39d3eab08f7ed"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/auth0/lock/releases/tag/v11.30.1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "lock",
"vendor": "auth0",
"versions": [
{
"status": "affected",
"version": "\u003c= 11.30.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "auth0-lock is Auth0\u0027s signin solution. Versions of nauth0-lock before and including `11.30.0` are vulnerable to reflected XSS. An attacker can execute arbitrary code when the library\u0027s `flashMessage` feature is utilized and user input or data from URL parameters is incorporated into the `flashMessage` or the library\u0027s `languageDictionary` feature is utilized and user input or data from URL parameters is incorporated into the `languageDictionary`. The vulnerability is patched in version 11.30.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-04T21:10:11.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/auth0/lock/security/advisories/GHSA-jr3j-whm4-9wwm"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/auth0/lock/commit/d139cf01c8234b07caf265e051f39d3eab08f7ed"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/auth0/lock/releases/tag/v11.30.1"
}
],
"source": {
"advisory": "GHSA-jr3j-whm4-9wwm",
"discovery": "UNKNOWN"
},
"title": "Reflected XSS when using flashMessages",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-32641",
"STATE": "PUBLIC",
"TITLE": "Reflected XSS when using flashMessages"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "lock",
"version": {
"version_data": [
{
"version_value": "\u003c= 11.30.0"
}
]
}
}
]
},
"vendor_name": "auth0"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "auth0-lock is Auth0\u0027s signin solution. Versions of nauth0-lock before and including `11.30.0` are vulnerable to reflected XSS. An attacker can execute arbitrary code when the library\u0027s `flashMessage` feature is utilized and user input or data from URL parameters is incorporated into the `flashMessage` or the library\u0027s `languageDictionary` feature is utilized and user input or data from URL parameters is incorporated into the `languageDictionary`. The vulnerability is patched in version 11.30.1."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/auth0/lock/security/advisories/GHSA-jr3j-whm4-9wwm",
"refsource": "CONFIRM",
"url": "https://github.com/auth0/lock/security/advisories/GHSA-jr3j-whm4-9wwm"
},
{
"name": "https://github.com/auth0/lock/commit/d139cf01c8234b07caf265e051f39d3eab08f7ed",
"refsource": "MISC",
"url": "https://github.com/auth0/lock/commit/d139cf01c8234b07caf265e051f39d3eab08f7ed"
},
{
"name": "https://github.com/auth0/lock/releases/tag/v11.30.1",
"refsource": "MISC",
"url": "https://github.com/auth0/lock/releases/tag/v11.30.1"
}
]
},
"source": {
"advisory": "GHSA-jr3j-whm4-9wwm",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-32641",
"datePublished": "2021-06-04T21:10:11.000Z",
"dateReserved": "2021-05-12T00:00:00.000Z",
"dateUpdated": "2024-08-03T23:25:31.021Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-15119 (GCVE-0-2020-15119)
Vulnerability from cvelistv5 – Published: 2020-08-19 21:20 – Updated: 2024-08-04 13:08
VLAI
Title
DOM-based XSS in auth0-lock
Summary
In auth0-lock versions before and including 11.25.1, dangerouslySetInnerHTML is used to update the DOM. When dangerouslySetInnerHTML is used, the application and its users might be exposed to cross-site scripting (XSS) attacks.
Severity
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/auth0/lock/security/advisories… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:08:21.963Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/auth0/lock/security/advisories/GHSA-6gg3-pmm7-97xc"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "lock",
"vendor": "auth0",
"versions": [
{
"status": "affected",
"version": "\u003c= 11.25.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In auth0-lock versions before and including 11.25.1, dangerouslySetInnerHTML is used to update the DOM. When dangerouslySetInnerHTML is used, the application and its users might be exposed to cross-site scripting (XSS) attacks."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-08-19T21:20:11.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/auth0/lock/security/advisories/GHSA-6gg3-pmm7-97xc"
}
],
"source": {
"advisory": "GHSA-6gg3-pmm7-97xc",
"discovery": "UNKNOWN"
},
"title": "DOM-based XSS in auth0-lock",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-15119",
"STATE": "PUBLIC",
"TITLE": "DOM-based XSS in auth0-lock"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "lock",
"version": {
"version_data": [
{
"version_value": "\u003c= 11.25.1"
}
]
}
}
]
},
"vendor_name": "auth0"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In auth0-lock versions before and including 11.25.1, dangerouslySetInnerHTML is used to update the DOM. When dangerouslySetInnerHTML is used, the application and its users might be exposed to cross-site scripting (XSS) attacks."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/auth0/lock/security/advisories/GHSA-6gg3-pmm7-97xc",
"refsource": "CONFIRM",
"url": "https://github.com/auth0/lock/security/advisories/GHSA-6gg3-pmm7-97xc"
}
]
},
"source": {
"advisory": "GHSA-6gg3-pmm7-97xc",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-15119",
"datePublished": "2020-08-19T21:20:11.000Z",
"dateReserved": "2020-06-25T00:00:00.000Z",
"dateUpdated": "2024-08-04T13:08:21.963Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-20174 (GCVE-0-2019-20174)
Vulnerability from cvelistv5 – Published: 2020-02-03 17:13 – Updated: 2024-08-05 02:39
VLAI
Summary
Auth0 Lock before 11.21.0 allows XSS when additionalSignUpFields is used with an untrusted placeholder.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/auth0/lock/releases/tag/v11.21.0 | x_refsource_MISC |
| https://auth0.com/docs/security/bulletins/cve-201… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:39:09.109Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/auth0/lock/releases/tag/v11.21.0"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://auth0.com/docs/security/bulletins/cve-2019-20174"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Auth0 Lock before 11.21.0 allows XSS when additionalSignUpFields is used with an untrusted placeholder."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-02-03T17:13:42.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/auth0/lock/releases/tag/v11.21.0"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://auth0.com/docs/security/bulletins/cve-2019-20174"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-20174",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Auth0 Lock before 11.21.0 allows XSS when additionalSignUpFields is used with an untrusted placeholder."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/auth0/lock/releases/tag/v11.21.0",
"refsource": "MISC",
"url": "https://github.com/auth0/lock/releases/tag/v11.21.0"
},
{
"name": "https://auth0.com/docs/security/bulletins/cve-2019-20174",
"refsource": "CONFIRM",
"url": "https://auth0.com/docs/security/bulletins/cve-2019-20174"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-20174",
"datePublished": "2020-02-03T17:13:42.000Z",
"dateReserved": "2019-12-31T00:00:00.000Z",
"dateUpdated": "2024-08-05T02:39:09.109Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}