Advisories for Npm/Auth0-Lock package

Auth0 is an authentication broker that supports both social and enterprise identity providers, including Active Directory, LDAP, Google Apps, and Salesforce. In versions before 11.33.0, when the “additional signup fieldsâ€? feature is configured, a malicious actor can inject invalidated HTML code into these additional fields, which is then stored in the service user_metdata payload (using the name property). Verification emails, when applicable, are generated using this metadata. It is therefor …

auth0-lock is Auth0's signin solution. Versions of nauth0-lock before and including 11.30.0 are vulnerable to reflected XSS. An attacker can execute arbitrary code when the library's flashMessage feature is utilized and user input or data from URL parameters is incorporated into the flashMessage or the library's languageDictionary feature is utilized and user input or data from URL parameters is incorporated into the languageDictionary.

In auth0-lock dangerouslySetInnerHTML is used to update the DOM. When dangerouslySetInnerHTML is used, the application and its users might be exposed to cross-site scripting (XSS) attacks.

Auth0 Lock allows XSS when additionalSignUpFields is used with an untrusted placeholder.