Evansimspublished

**Name of the Vulnerable Software and Affected Versions** Auth0 versions prior to 11.33.0 **Description** The issue is related to the "additional signup fields" feature in Auth0, where a malicious actor can inject invalidated HTML code into these fields, which is then stored in the service `user metdata` payload using the `name` property. This can allow an actor to craft a malicious link by injecting HTML, which is then rendered as the recipient's name within the delivered email template. **Recommendations** For versions prior to 11.33.0, upgrade to version 11.33.0 to fix the issue. As a temporary workaround, consider restricting the use of the "additional signup fields" feature until the update is applied.