GHSA-7ww6-75fj-jcj7
GitHub Security Advisory
Cross-site Scripting in Auth0 Lock
Advisory Details
### Overview
In versions before and including `11.32.2`, when the “additional signup fields” feature [is configured](https://github.com/auth0/lock#additional-sign-up-fields), a malicious actor can inject invalidated HTML code into these additional fields, which is then stored in the service `user_metdata` payload (using the `name` property).
Verification emails, when applicable, are generated using this metadata. It is therefor possible for an actor to craft a malicious link by injecting HTML, which is then rendered as the recipient's name within the delivered email template.
### Am I affected?
You are impacted by this vulnerability if you are using `auth0-lock` version `11.32.2` or lower and are using the “additional signup fields” feature in your application.
### How to fix that?
Upgrade to version `11.33.0`.
### Will this update impact my users?
Additional signup fields that have been added to the signup tab on Lock will have HTML tags stripped from user input from version `11.33.0` onwards. The user will not receive any validation warning or feedback, but backend data will no longer include HTML.
Affected Packages
Related CVEs
Key Information
Dataset
Data from GitHub Advisory Database. This information is provided for research and educational purposes.