39 matches found
Malicious Package
Overview auth0-lock-webpack is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
CVE-2019-20174
Auth0 Lock before 11.21.0 allows XSS when additionalSignUpFields is used with an untrusted placeholder...
EUVD-2021-1348
Malware in sbrugna...
EUVD-2020-0280
Malware in sbrugna...
EUVD-2020-0601
Malware in sbrugna...
CVE-2020-15119
In auth0-lock versions before and including 11.25.1, dangerouslySetInnerHTML is used to update the DOM. When dangerouslySetInnerHTML is used, the application and its users might be exposed to cross-site scripting XSS attacks...
Malicious code in auth0-lock-webpack (npm)
--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis fc8cb7c85f580c66397adec583bbd6623eafcb98683fcf6299ca73188892009f The OpenSSF Package Analysis project identified 'auth0-lock-webpack' @ 99.99.99 npm as malicious. It is considered malicious because: - The...
MAL-2024-11818 Malicious code in auth0-lock-webpack (npm)
--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis fc8cb7c85f580c66397adec583bbd6623eafcb98683fcf6299ca73188892009f The OpenSSF Package Analysis project identified 'auth0-lock-webpack' @ 99.99.99 npm as malicious. It is considered malicious because: - The...
Malicious code in auth0-lock-browserify (npm)
--- -= Per source details. Do not edit below this line.=-...
@apim/auth0-lock-redux (>=1.0.0 <=1.0.2), @brudi-toolbox/id (>=1.4.5-next.1 <=2.0.4-next.2) +38 more potentially affected by CVE-2022-29172 via auth0-lock (>=10.14.0 <=11.31.0)
auth0-lock NPM version =10.14.0, =1.0.0, =1.4.5-next.1, =2.2.0, =1.0.0, =0.1.0, =0.3.0, =0.0.1, =1.0.0, =0.1.0, =0.5.3, =0.1.13, =1.0.0, =0.0.1, =0.0.5 - auth0-react-sample =1.0.0 and more Source cves: CVE-2022-29172 Source advisory: OSV:GHSA-7WW6-75FJ-JCJ7...
GHSA-7WW6-75FJ-JCJ7 Cross-site Scripting in Auth0 Lock
Overview In versions before and including 11.32.2, when the “additional signup fields” feature is configured, a malicious actor can inject invalidated HTML code into these additional fields, which is then stored in the service usermetdata payload using the name property. Verification emails, when...
Cross-site Scripting in Auth0 Lock
Overview In versions before and including 11.32.2, when the “additional signup fields” feature is configured, a malicious actor can inject invalidated HTML code into these additional fields, which is then stored in the service usermetdata payload using the name property. Verification emails, when...
Cross-Site Scripting (XSS)
auth0-lock is vulnerable to cross-site scripting. The vulnerability exists in signUp function in actions.js due to lack of sanitization in the additional sign-up fields which allows an attacker to inject and execute arbitrary javascript...
CVE-2022-29172 HTML injection with additional signup fields
Auth0 is an authentication broker that supports both social and enterprise identity providers, including Active Directory, LDAP, Google Apps, and Salesforce. In versions before 11.33.0, when the “additional signup fields” feature is configured, a malicious actor can inject invalidated HTML code...
Cross-Site Scripting (XSS)
auth0-lock is vulnerable to cross-site scripting XSS. An attacker is able to inject and execute arbitrary Javascript in a user's browser via the flashMessage feature or languageDictionary feature...
CVE-2021-32641
auth0-lock is Auth0's signin solution. Versions of nauth0-lock before and including 11.30.0 are vulnerable to reflected XSS. An attacker can execute arbitrary code when the library's flashMessage feature is utilized and user input or data from URL parameters is incorporated into the flashMessage ...
Design/Logic Flaw
auth0-lock is Auth0's signin solution. Versions of nauth0-lock before and including 11.30.0 are vulnerable to reflected XSS. An attacker can execute arbitrary code when the library's flashMessage feature is utilized and user input or data from URL parameters is incorporated into the flashMessage ...
CVE-2021-32641
CVE-2021-32641 affects Auth0-lock (Auth0’s signin solution). Versions up to and including 11.30.0 are vulnerable to a reflected XSS when user input from URL parameters is injected into the library’s flashMessage or languageDictionary features. The issue is addressed in version 11.30.1, which patc...
CVE-2021-32641 Reflected XSS when using flashMessages
auth0-lock is Auth0's signin solution. Versions of nauth0-lock before and including 11.30.0 are vulnerable to reflected XSS. An attacker can execute arbitrary code when the library's flashMessage feature is utilized and user input or data from URL parameters is incorporated into the flashMessage ...
Reflected Cross-Site Scripting
Overview There is an XSS vulnerability in affected versions of auth0-lock. Overview Versions before and including 11.30.0 are vulnerable to reflected XSS. An attacker can execute arbitrary code when the library's - flashMessage feature is utilized and user input or data from URL parameters is...