logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2021-32641 auth0-lock

Package

Manager: npm
Name: auth0-lock
Vulnerable Version: >=0 <11.30.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00339 pctl0.55984

Details

Reflected XSS when using flashMessages or languageDictionary ### Overview Versions before and including `11.30.0` are vulnerable to reflected XSS. An attacker can execute arbitrary code when the library's - `flashMessage` feature is utilized and user input or data from URL parameters is incorporated into the `flashMessage`. - `languageDictionary` feature is utilized and user input or data from URL parameters is incorporated into the `languageDictionary`. ### Am I affected? You are affected by this vulnerability if you are using `auth0-lock` version `11.30.0` or lower and all of the following conditions apply: - You are utilizing `flashMessage` feature. - User input or data from URL parameters is incorporated into the `flashMessage`. An example of a vulnerable snippet where query parameters are used to populate the `text` property of a `flashMessage`. ```js var params = new URLSearchParams(location.search); var errorMessage = params.get('error__message'); var showParams = {}; if (!!errorMessage === true) { showParams.flashMessage = { type: 'error', text: 'We were unable to log you in. ' + errorMessage, }; } lock.show(showParams); ``` OR - You are utilizing `languageDictionary` feature. - User input or data from URL parameters is used in `languageDictionary` properties. An example of a vulnerable snippet where query parameters are used to populate the `socialLoginInstructions` property of a `languageDictionary`. ```js var params = new URLSearchParams(location.search); var instruction = params.get('instruction'); var options = { languageDictionary: { emailInputPlaceholder: "something@youremail.com", title: "title", socialLoginInstructions: instruction }, }; var lock = new Auth0LockPasswordless( CLIENT_ID, DOMAIN, options ); lock.show() ``` ### How to fix that? Upgrade to version `11.30.1`. ### Will this update impact my users? The fix uses [DOMPurify](https://github.com/cure53/DOMPurify) to sanitise the `flashMessage` and `languageDictionary` inputs. If you are including inline JavaScript in these fields, like `script` tags or `onclick` attributes, these will be removed.

Metadata

Created: 2021-06-04T19:10:34Z
Modified: 2021-06-07T18:54:43Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-jr3j-whm4-9wwm/GHSA-jr3j-whm4-9wwm.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-jr3j-whm4-9wwm
Finding: F008
Auto approve: 1