PT-2021-19825 · Auth0 · Auth0-Lock

Lzychowski

Published

2021-06-04

Updated

2021-06-16

CVE-2021-32641

CVSS v3.1

8.1

High

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions auth0-lock versions 11.30.0 and earlier

Description The issue concerns a reflected XSS attack. An attacker can execute arbitrary code when the library's flashMessage feature is utilized and user input or data from URL parameters is incorporated into the flashMessage, or the library's languageDictionary feature is utilized and user input or data from URL parameters is incorporated into the languageDictionary.

Recommendations For versions 11.30.0 and earlier, upgrade to version 11.30.1 to resolve the issue. As a temporary workaround, consider disabling the flashMessage and languageDictionary features until a patch is available. Restrict access to user input or data from URL parameters in these features to minimize the risk of exploitation.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2021-32641

GHSA-JR3J-WHM4-9WWM

Affected Products

Auth0-Lock

PT-2021-19825 · Auth0 · Auth0-Lock

CVE-2021-32641

Weakness Enumeration

Related Identifiers

Affected Products

References · 8