GHSA-W2PF-G6R8-PG22

Vulnerability from github – Published: 2020-01-31 17:59 – Updated: 2023-09-11 18:14
VLAI?
Summary
auth0-lock vulnerable to XSS via unsanitized placeholder property
Details

Overview

Auth0 Lock version 11.20.4 and earlier did not properly sanitize the generated HTML code. Customers using the additionalSignUpFields customization option to add a checkbox to the sign-up dialog that are passing a placeholder property obtained from an untrusted source (e.g. a query parameter) could allow cross-site scripting (XSS) on their signup pages.

Am I affected?

You are affected by this vulnerability if all of the following conditions apply:

  • You are using Auth0 Lock version 11.20.4 or earlier.
  • You pass additionalSignUpFields as options when initializing Lock which includes a field of type checkbox whose placeholder value is obtained from an untrusted source.

An example of a vulnerable snippet is the following where the placeholder value is partially user-controlled by the name query parameter:

<script>
    var params = new URLSearchParams(window.location.search);
    var options = {
        auth: {
            redirectUrl: 'http://localhost:12345/callback',
            responseType: 'code',
            params: {
                scope: 'openid email',
            },
        },
        additionalSignUpFields: [{
            name: 'agree',
            type: 'checkbox',
            placeholder: "I agree to Terms and Conditions for " + params.get('name'),
        }],
    };
    var lock = new Auth0Lock('<CLIENT_ID>', '<TENANT_NAME>.auth0.com', options);
    lock.show({
        allowShowPassword: true,
        initialScreen: 'signUp',
    });
</script>

How to fix that?

Developers using Auth0’s signin solution Lock need to upgrade to version 11.21.0 or later. Version 11.21.0 introduces two changes:

  1. The existing placeholder property is now treated as plain text to mitigate the problem.
  2. A new placeholderHTML property is introduced that indicates the level of control it provides and that it should be only supplied from trusted sources.

Will this update impact my users?

This fix patches the Auth0 Lock widget and may require changes in application code, but it will not impact your users, their current state, or any existing sessions.

Developers using the placeholder property with HTML content from a trusted source should start using the placeholderHTML property to continue providing the same user experience.

Severity ?
6.1 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "auth0-lock"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "11.21.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-20174"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-01-31T00:31:07Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Overview\n\nAuth0 Lock version 11.20.4 and earlier did not properly sanitize the generated HTML code. Customers using the `additionalSignUpFields` customization option to add a checkbox to the sign-up dialog that are passing a `placeholder` property obtained from an untrusted source (e.g. a query parameter) could allow cross-site scripting (XSS) on their signup pages.\n\n## Am I affected?\n\nYou are affected by this vulnerability if all of the following conditions apply:\n\n- You are using Auth0 Lock version 11.20.4 or earlier.\n- You pass `additionalSignUpFields` as options when initializing Lock which includes a field of type `checkbox` whose `placeholder` value is obtained from an untrusted source.\n\nAn example of a vulnerable snippet is the following where the `placeholder` value is partially user-controlled by the `name` query parameter:\n\n```javascript\n\u003cscript\u003e\n    var params = new URLSearchParams(window.location.search);\n    var options = {\n        auth: {\n            redirectUrl: \u0027http://localhost:12345/callback\u0027,\n            responseType: \u0027code\u0027,\n            params: {\n                scope: \u0027openid email\u0027,\n            },\n        },\n        additionalSignUpFields: [{\n            name: \u0027agree\u0027,\n            type: \u0027checkbox\u0027,\n            placeholder: \"I agree to Terms and Conditions for \" + params.get(\u0027name\u0027),\n        }],\n    };\n    var lock = new Auth0Lock(\u0027\u003cCLIENT_ID\u003e\u0027, \u0027\u003cTENANT_NAME\u003e.auth0.com\u0027, options);\n    lock.show({\n        allowShowPassword: true,\n        initialScreen: \u0027signUp\u0027,\n    });\n\u003c/script\u003e\n```\n\n## How to fix that?\n\nDevelopers using Auth0\u2019s signin solution Lock need to upgrade to version 11.21.0 or later. Version 11.21.0 introduces two changes:\n\n1. The existing `placeholder` property is now treated as plain text to mitigate the problem.\n2. A new `placeholderHTML` property is introduced that indicates the level of control it provides and that it should be only supplied from trusted sources.\n\n## Will this update impact my users?\n\nThis fix patches the Auth0 Lock widget and may require changes in application code, but it will not impact your users, their current state, or any existing sessions.\n\nDevelopers using the `placeholder` property with HTML content from a trusted source should start using the `placeholderHTML` property to continue providing the same user experience.",
  "id": "GHSA-w2pf-g6r8-pg22",
  "modified": "2023-09-11T18:14:11Z",
  "published": "2020-01-31T17:59:51Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/auth0/lock/security/advisories/GHSA-w2pf-g6r8-pg22"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20174"
    },
    {
      "type": "WEB",
      "url": "https://github.com/auth0/lock/commit/6c15e5659c21cd814ea119af5c51b61399598dd5"
    },
    {
      "type": "WEB",
      "url": "https://auth0.com/docs/security/bulletins/cve-2019-20174"
    },
    {
      "type": "WEB",
      "url": "https://github.com/auth0/lock/releases/tag/v11.21.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "auth0-lock vulnerable to XSS via unsanitized placeholder property"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.