auth0-lock@11.30.2 vulnerabilities

Auth0 Lock

Direct Vulnerabilities

Known vulnerabilities in the auth0-lock package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Cross-site Scripting (XSS)

auth0-lock is a plugin for Auth0.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) when the “additional signup fields” feature is configured, allowing a malicious actor to inject invalidated HTML code into these additional fields, which is then stored in the service user_metdata payload (using the name property).

Verification emails, when applicable, are generated using this metadata. It is therefor possible for an actor to craft a malicious link by injecting HTML, which is then rendered as the recipient's name within the delivered email template.

How to fix Cross-site Scripting (XSS)?

Upgrade auth0-lock to version 11.33.0 or higher.

<11.33.0