13.0.0
10 years ago
29 days ago
Known vulnerabilities in the auth0-lock package. This does not include vulnerabilities belonging to this package’s dependencies.
Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for freeVulnerability | Vulnerable Version |
---|---|
auth0-lock is a plugin for Auth0. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) when the “additional signup fields” feature is configured, allowing a malicious actor to inject invalidated HTML code into these additional fields, which is then stored in the service Verification emails, when applicable, are generated using this metadata. It is therefor possible for an actor to craft a malicious link by injecting HTML, which is then rendered as the recipient's name within the delivered email template. How to fix Cross-site Scripting (XSS)? Upgrade | <11.33.0 |
auth0-lock is a plugin for Auth0. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the How to fix Cross-site Scripting (XSS)? Upgrade | <11.30.1 |
auth0-lock is a plugin for Auth0. Affected versions of this package are vulnerable to Cross-site Scripting (XSS). For Passwordless connection, the value of the input (email or phone number) is displayed back to the user while waiting for verification code input. For Enterprise connection, the value of the input (IdP Domain) from the Enterprise connection setup screen (Auth0 Dashboard) is displayed back to the user when the How to fix Cross-site Scripting (XSS)? Upgrade | <11.26.3 |
auth0-lock is a plugin for Auth0. Affected versions of this package are vulnerable to Cross-site Scripting (XSS). It did not properly sanitize the generated HTML code. How to fix Cross-site Scripting (XSS)? Upgrade | <11.21.0 |
auth0-lock is an authentication broker that supports both social and enterprise identity providers, including Active Directory, LDAP, Google Apps, and Salesforce. Affected versions of this package are vulnerable to Cross-Site Request Forgery (CSRF) attacks if the Legacy Lock API flag is enabled. Once the user credentials are verified, an HTML form is rendered into the user’s browser. A JSON Web Token (JWT) is POSTed to the How to fix Cross-site Request Forgery (CSRF)? Upgrade | <11.0.0 |