Mvisat

**Name of the Vulnerable Software and Affected Versions** auth0-lock versions prior to 11.26.3 **Description** The issue exposes applications and their users to cross-site scripting (XSS) attacks due to the use of `dangerouslySetInnerHTML` to update the DOM. This occurs when auth0-lock is used with Passwordless or Enterprise connection modes, where user input (such as email, phone number, or IdP Domain) is displayed back to the user. This can lead to XSS attacks. **Recommendations** For versions prior to 11.26.3, upgrade to version 11.26.3 to resolve the issue. As a temporary workaround, consider avoiding the use of Passwordless or Enterprise connection modes until the upgrade is applied.