CVE-2020-15119

Name of the Vulnerable Software and Affected Versions auth0-lock versions prior to 11.26.3

Description The issue exposes applications and their users to cross-site scripting (XSS) attacks due to the use of dangerouslySetInnerHTML to update the DOM. This occurs when auth0-lock is used with Passwordless or Enterprise connection modes, where user input (such as email, phone number, or IdP Domain) is displayed back to the user. This can lead to XSS attacks.

Recommendations For versions prior to 11.26.3, upgrade to version 11.26.3 to resolve the issue. As a temporary workaround, consider avoiding the use of Passwordless or Enterprise connection modes until the upgrade is applied.