org.webjars.npm:auth0-lock 11.14.1 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.webjars.npm:auth0-lock package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
M Cross-site Scripting (XSS) org.webjars.npm:auth0-lock is a WebJar for auth0-lock. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) when the “additional signup fields” feature is configured, allowing a malicious actor to inject invalidated HTML code into these additional fields, which is then stored in the service `user_metdata` payload (using the `name` property). Verification emails, when applicable, are generated using this metadata. It is therefor possible for an actor to craft a malicious link by injecting HTML, which is then rendered as the recipient's name within the delivered email template. How to fix Cross-site Scripting (XSS)? Upgrade `org.webjars.npm:auth0-lock` to version 11.33.0 or higher.	[,11.33.0)
H Cross-site Scripting (XSS) org.webjars.npm:auth0-lock is a WebJar for auth0-lock. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the `flashMessage` and `languageDictionary` features. How to fix Cross-site Scripting (XSS)? There is no fixed version for `org.webjars.npm:auth0-lock`.	[0,)
L Cross-site Scripting (XSS) org.webjars.npm:auth0-lock is a WebJar for auth0-lock. Affected versions of this package are vulnerable to Cross-site Scripting (XSS). `auth0-lock` before and including `11.25.1` are using `dangerouslySetInnerHTML` to display an informational message when used with a Passwordless or Enterprise connection. For Passwordless connection, the value of the input (email or phone number) is displayed back to the user while waiting for verification code input. For Enterprise connection, the value of the input (IdP Domain) from the Enterprise connection setup screen (Auth0 Dashboard) is displayed back to the user when the `lock` widget opens. How to fix Cross-site Scripting (XSS)? There is no fixed version for `org.webjars.npm:auth0-lock`.	[0,)
M Cross-site Scripting (XSS) org.webjars.npm:auth0-lock is a WebJar for auth0-lock. Affected versions of this package are vulnerable to Cross-site Scripting (XSS). It did not properly sanitize the generated HTML code. How to fix Cross-site Scripting (XSS)? There is no fixed version for `org.webjars.npm:auth0-lock`.	[0,)

Vulnerability

Vulnerable Version

Cross-site Scripting (XSS)

org.webjars.npm:auth0-lock is a WebJar for auth0-lock.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) when the “additional signup fields” feature is configured, allowing a malicious actor to inject invalidated HTML code into these additional fields, which is then stored in the service user_metdata payload (using the name property).

Verification emails, when applicable, are generated using this metadata. It is therefor possible for an actor to craft a malicious link by injecting HTML, which is then rendered as the recipient's name within the delivered email template.

How to fix Cross-site Scripting (XSS)?

Upgrade org.webjars.npm:auth0-lock to version 11.33.0 or higher.

[,11.33.0)

Cross-site Scripting (XSS)

org.webjars.npm:auth0-lock is a WebJar for auth0-lock.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the flashMessage and languageDictionary features.

How to fix Cross-site Scripting (XSS)?

There is no fixed version for org.webjars.npm:auth0-lock.

[0,)

Cross-site Scripting (XSS)

org.webjars.npm:auth0-lock is a WebJar for auth0-lock.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS). auth0-lock before and including 11.25.1 are using dangerouslySetInnerHTML to display an informational message when used with a Passwordless or Enterprise connection.

For Passwordless connection, the value of the input (email or phone number) is displayed back to the user while waiting for verification code input. For Enterprise connection, the value of the input (IdP Domain) from the Enterprise connection setup screen (Auth0 Dashboard) is displayed back to the user when the lock widget opens.

How to fix Cross-site Scripting (XSS)?

There is no fixed version for org.webjars.npm:auth0-lock.

[0,)

Cross-site Scripting (XSS)

org.webjars.npm:auth0-lock is a WebJar for auth0-lock.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS). It did not properly sanitize the generated HTML code.

How to fix Cross-site Scripting (XSS)?

There is no fixed version for org.webjars.npm:auth0-lock.

[0,)

org.webjars.npm:auth0-lock@11.14.1 vulnerabilities

latest version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities

How to fix?