4 matches found
@apim/auth0-lock-redux (>=1.0.0 <=1.0.2), @brudi-toolbox/id (>=1.4.5-next.1 <=2.0.4-next.2) +38 more potentially affected by CVE-2022-29172 via auth0-lock (>=10.14.0 <=11.31.0)
auth0-lock NPM version =10.14.0, =1.0.0, =1.4.5-next.1, =2.2.0, =1.0.0, =0.1.0, =0.3.0, =0.0.1, =1.0.0, =0.1.0, =0.5.3, =0.1.13, =1.0.0, =0.0.1, =0.0.5 - auth0-react-sample =1.0.0 and more Source cves: CVE-2022-29172 Source advisory: OSV:GHSA-7WW6-75FJ-JCJ7...
CVE-2022-29172 HTML injection with additional signup fields
Auth0 is an authentication broker that supports both social and enterprise identity providers, including Active Directory, LDAP, Google Apps, and Salesforce. In versions before 11.33.0, when the “additional signup fields” feature is configured, a malicious actor can inject invalidated HTML code...
CVE-2022-29172 HTML injection with additional signup fields
Auth0 is an authentication broker that supports both social and enterprise identity providers, including Active Directory, LDAP, Google Apps, and Salesforce. In versions before 11.33.0, when the “additional signup fields” feature is configured, a malicious actor can inject invalidated HTML code...
CVE-2022-29172
Auth0 Lock (auth0-lock) vulnerability CVE-2022-29172 affects versions before 11.33.0 where the “additional signup fields” feature allows HTML injection into the fields, storing invalid HTML in the user metadata payload (name property). This can cause a crafted link to render HTML in the recipient...