CVE-2022-29172

Name of the Vulnerable Software and Affected Versions Auth0 versions prior to 11.33.0

Description The issue is related to the "additional signup fields" feature in Auth0, where a malicious actor can inject invalidated HTML code into these fields, which is then stored in the service user metdata payload using the name property. This can allow an actor to craft a malicious link by injecting HTML, which is then rendered as the recipient's name within the delivered email template.

Recommendations For versions prior to 11.33.0, upgrade to version 11.33.0 to fix the issue. As a temporary workaround, consider restricting the use of the "additional signup fields" feature until the update is applied.