CVE-2022-29172

Auth0 Lock (auth0-lock) vulnerability CVE-2022-29172 affects versions before 11.33.0 where the “additional signup fields” feature allows HTML injection into the fields, storing invalid HTML in the user metadata payload (name property). This can cause a crafted link to render HTML in the recipient...

CVE-2021-32641

CVE-2021-32641 affects Auth0-lock (Auth0’s signin solution). Versions up to and including 11.30.0 are vulnerable to a reflected XSS when user input from URL parameters is injected into the library’s flashMessage or languageDictionary features. The issue is addressed in version 11.30.1, which patc...

CVE-2020-15119

CVE-2020-15119 concerns the auth0-lock widget. Vulnerability: using dangerouslySetInnerHTML to update the DOM can enable cross-site scripting (XSS) when Passwordless or Enterprise connections are used. Affected versions: before and including 11.25.1. Impact: potential exposure of arbitrary JavaSc...

CVE-2019-20174

Auth0 Lock prior to version 11.21.0 is vulnerable to cross-site scripting when additionalSignUpFields uses an untrusted placeholder. The issue is triggered by untrusted placeholder content being rendered in the Sign Up dialog, enabling XSS. Red Hat and OSV records corroborate the same description...