GHSA-6gg3-pmm7-97xc
GitHub Security Advisory
DOM-based XSS in auth0-lock
Advisory Details
### Overview
Versions before and including `11.25.1` are using `dangerouslySetInnerHTML` to display an informational message when used with a Passwordless or Enterprise connection.
- For Passwordless connection, the value of the input (email or phone number) is displayed back to the user while waiting for verification code input.
- For Enterprise connection, the value of the input (IdP Domain) from the Enterprise connection setup screen (Auth0 Dashboard) is displayed back to the user when the `lock` widget opens.
When Passwordless or Enterprise connection is used, the application and its users might be exposed to cross-site scripting (XSS) attacks.
### Am I affected?
You are affected by this vulnerability if all of the following conditions apply:
- You are using auth0-lock
- You are using Passwordless or Enterprise connection mode
### How to fix that?
Upgrade to version `11.26.3`
### Will this update impact my users?
The fix provided in patch will not affect your users.
### Credit
https://github.com/mvisat
Affected Packages
Related CVEs
Key Information
Dataset
Data from GitHub Advisory Database. This information is provided for research and educational purposes.