GHSA-7WW6-75FJ-JCJ7

Vulnerability from github – Published: 2022-05-24 20:49 – Updated: 2022-05-24 20:49
VLAI?
Summary
Cross-site Scripting in Auth0 Lock
Details

Overview

In versions before and including 11.32.2, when the “additional signup fields” feature is configured, a malicious actor can inject invalidated HTML code into these additional fields, which is then stored in the service user_metdata payload (using the name property).

Verification emails, when applicable, are generated using this metadata. It is therefor possible for an actor to craft a malicious link by injecting HTML, which is then rendered as the recipient's name within the delivered email template.

Am I affected?

You are impacted by this vulnerability if you are using auth0-lock version 11.32.2 or lower and are using the “additional signup fields” feature in your application.

How to fix that?

Upgrade to version 11.33.0.

Will this update impact my users?

Additional signup fields that have been added to the signup tab on Lock will have HTML tags stripped from user input from version 11.33.0 onwards. The user will not receive any validation warning or feedback, but backend data will no longer include HTML.

Severity ?
6.1 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "auth0-lock"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "11.33.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-29172"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-05-24T20:49:20Z",
    "nvd_published_at": "2022-05-05T23:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Overview\n\nIn versions before and including `11.32.2`, when the \u201cadditional signup fields\u201d feature [is configured](https://github.com/auth0/lock#additional-sign-up-fields), a malicious actor can inject invalidated HTML code into these additional fields, which is then stored in the service `user_metdata` payload (using the `name` property).\n\nVerification emails, when applicable, are generated using this metadata. It is therefor possible for an actor to craft a malicious link by injecting HTML, which is then rendered as the recipient\u0027s name within the delivered email template.\n\n### Am I affected?\nYou are impacted by this vulnerability if you are using `auth0-lock` version `11.32.2` or lower and are using the \u201cadditional signup fields\u201d feature in your application.\n\n### How to fix that?\nUpgrade to version `11.33.0`.\n\n### Will this update impact my users?\nAdditional signup fields that have been added to the signup tab on Lock will have HTML tags stripped from user input from version `11.33.0` onwards. The user will not receive any validation warning or feedback, but backend data will no longer include HTML.",
  "id": "GHSA-7ww6-75fj-jcj7",
  "modified": "2022-05-24T20:49:20Z",
  "published": "2022-05-24T20:49:20Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/auth0/lock/security/advisories/GHSA-7ww6-75fj-jcj7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29172"
    },
    {
      "type": "WEB",
      "url": "https://github.com/auth0/lock/commit/79ae557d331274b114848150f19832ae341771b1"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/auth0/lock"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Cross-site Scripting in Auth0 Lock"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.