Published: August 16, 2020 CVE number: CVE-2020-15119 Credit: Muhamad Visat

Overview

Versions before and including 11.25.1 are using dangerouslySetInnerHTML to display an informational message when used with a or Enterprise connection.
  • For a Passwordless connection, the value of the input (email or phone number) is displayed back to the user while waiting for verification code input.
  • For an Enterprise connection, the value of the input ( Domain) from the Enterprise connection setup screen () is displayed back to the user when the Lock widget opens.
When a Passwordless or Enterprise connection is used, the application and its users might be exposed to cross-site scripting (XSS) attacks.

Am I affected?

You are affected by this vulnerability if all of the following conditions apply:
  • You are using auth0-lock
  • You are using Passwordless or Enterprise connection mode

How to fix that?

Upgrade to version 11.26.3.

Will this update impact my users?

The fix provided in the patch will not affect your users.