CVE-2019-20174

Name of the Vulnerable Software and Affected Versions Auth0 Lock versions prior to 11.21.0

Description The issue arises when additionalSignUpFields is used with an untrusted placeholder in Auth0 Lock, allowing cross-site scripting (XSS) on signup pages. This occurs when the placeholder property is obtained from an untrusted source, such as a query parameter, and is used to add a checkbox to the sign-up dialog. The vulnerability is present in versions of Auth0 Lock where the generated HTML code is not properly sanitized.

Recommendations For Auth0 Lock versions prior to 11.21.0, upgrade to version 11.21.0 or later to fix the issue. In version 11.21.0, the placeholder property is treated as plain text, and a new placeholderHTML property is introduced for use with trusted sources. Developers using the placeholder property with HTML content from a trusted source should start using the placeholderHTML property to maintain the user experience.