Lucene search
GoogleOSV:GHSA-6GG3-PMM7-97XCHistoryAug 19, 2020 - 9:05 p.m.
DOM-based XSS in auth0-lock
2020-08-1921:05:03
Google
osv.dev
6
dom-based xss
auth0-lock
passwordless
enterprise
upgrade
vulnerability
EPSS
0.001
Percentile
22.7%
Overview
Versions before and including 11.25.1 are using dangerouslySetInnerHTML to display an informational message when used with a Passwordless or Enterprise connection.
- For Passwordless connection, the value of the input (email or phone number) is displayed back to the user while waiting for verification code input.
- For Enterprise connection, the value of the input (IdP Domain) from the Enterprise connection setup screen (Auth0 Dashboard) is displayed back to the user when the
lockwidget opens.
When Passwordless or Enterprise connection is used, the application and its users might be exposed to cross-site scripting (XSS) attacks.
Am I affected?
You are affected by this vulnerability if all of the following conditions apply:
- You are using auth0-lock
- You are using Passwordless or Enterprise connection mode
How to fix that?
Upgrade to version 11.26.3
Will this update impact my users?
The fix provided in patch will not affect your users.
Credit
Related
github
github
DOM-based XSS in auth0-lock
2020-08-19 21:05:03
prion
prion
Cross site scripting
2020-08-20 01:17:00
nvd
nvd
CVE-2020-15119
2020-08-20 01:17:11
osv
osv
CVE-2020-15119
2020-08-20 01:17:11
githubexploit
githubexploit
Exploit for Cross-site Scripting in Auth0 Lock
2020-12-01 09:45:48
veracode
veracode
Cross-Site Scripting (XSS)
2020-08-20 02:19:31
cvelist
cvelist
CVE-2020-15119 DOM-based XSS in auth0-lock
2020-08-19 21:20:11
cve
cve
CVE-2020-15119
2020-08-20 01:17:11
nodejs
nodejs
DOM-based XSS
2020-08-19 21:15:29