npm package
auth0-lock
pkg:npm/auth0-lock
Vulnerabilities (4)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2022-29172 | — | < 11.33.0 | 11.33.0 | May 5, 2022 | Auth0 is an authentication broker that supports both social and enterprise identity providers, including Active Directory, LDAP, Google Apps, and Salesforce. In versions before `11.33.0`, when the “additional signup fields” feature [is configured](https://github.com/auth0/lock#ad | ||
| CVE-2021-32641 | — | < 11.30.1 | 11.30.1 | Jun 4, 2021 | auth0-lock is Auth0's signin solution. Versions of nauth0-lock before and including `11.30.0` are vulnerable to reflected XSS. An attacker can execute arbitrary code when the library's `flashMessage` feature is utilized and user input or data from URL parameters is incorporated i | ||
| CVE-2020-15119 | — | < 11.26.3 | 11.26.3 | Aug 19, 2020 | In auth0-lock versions before and including 11.25.1, dangerouslySetInnerHTML is used to update the DOM. When dangerouslySetInnerHTML is used, the application and its users might be exposed to cross-site scripting (XSS) attacks. | ||
| CVE-2019-20174 | — | < 11.21.0 | 11.21.0 | Feb 3, 2020 | Auth0 Lock before 11.21.0 allows XSS when additionalSignUpFields is used with an untrusted placeholder. |
- CVE-2022-29172May 5, 2022affected < 11.33.0fixed 11.33.0
Auth0 is an authentication broker that supports both social and enterprise identity providers, including Active Directory, LDAP, Google Apps, and Salesforce. In versions before `11.33.0`, when the “additional signup fields” feature [is configured](https://github.com/auth0/lock#ad
- CVE-2021-32641Jun 4, 2021affected < 11.30.1fixed 11.30.1
auth0-lock is Auth0's signin solution. Versions of nauth0-lock before and including `11.30.0` are vulnerable to reflected XSS. An attacker can execute arbitrary code when the library's `flashMessage` feature is utilized and user input or data from URL parameters is incorporated i
- CVE-2020-15119Aug 19, 2020affected < 11.26.3fixed 11.26.3
In auth0-lock versions before and including 11.25.1, dangerouslySetInnerHTML is used to update the DOM. When dangerouslySetInnerHTML is used, the application and its users might be exposed to cross-site scripting (XSS) attacks.
- CVE-2019-20174Feb 3, 2020affected < 11.21.0fixed 11.21.0
Auth0 Lock before 11.21.0 allows XSS when additionalSignUpFields is used with an untrusted placeholder.