VulnerableCode Package Details - pkg:npm/auth0-lock@11.26.3

Search for packages

Vulnerability	Summary	Fixed by
VCID-fnw8-u5tm-7qfu Aliases: CVE-2022-29172 GHSA-7ww6-75fj-jcj7	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Auth0 is an authentication broker that supports both social and enterprise identity providers, including Active Directory, LDAP, Google Apps, and Salesforce. In versions before `11.33.0`, when the â€œadditional signup fieldsâ€? feature [is configured](https://github.com/auth0/lock#additional-sign-up-fields), a malicious actor can inject invalidated HTML code into these additional fields, which is then stored in the service `user_metdata` payload (using the `name` property). Verification emails, when applicable, are generated using this metadata. It is therefor possible for an actor to craft a malicious link by injecting HTML, which is then rendered as the recipient's name within the delivered email template. You are impacted by this vulnerability if you are using `auth0-lock` version `11.32.2` or lower and are using the â€œadditional signup fieldsâ€? feature in your application. Upgrade to version `11.33.0`.	11.33.0 Affected by 0 other vulnerabilities.
VCID-k2s5-kxvv-17hn Aliases: CVE-2021-32641 GHSA-jr3j-whm4-9wwm	Cross-site Scripting auth0-lock is Auth0's signin solution. Versions of nauth0-lock before and including `11.30.0` are vulnerable to reflected XSS. An attacker can execute arbitrary code when the library's `flashMessage` feature is utilized and user input or data from URL parameters is incorporated into the `flashMessage` or the library's `languageDictionary` feature is utilized and user input or data from URL parameters is incorporated into the `languageDictionary`.	11.30.1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-fnw8-u5tm-7qfu
Aliases:
CVE-2022-29172
GHSA-7ww6-75fj-jcj7

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Auth0 is an authentication broker that supports both social and enterprise identity providers, including Active Directory, LDAP, Google Apps, and Salesforce. In versions before `11.33.0`, when the â€œadditional signup fieldsâ€? feature [is configured](https://github.com/auth0/lock#additional-sign-up-fields), a malicious actor can inject invalidated HTML code into these additional fields, which is then stored in the service `user_metdata` payload (using the `name` property). Verification emails, when applicable, are generated using this metadata. It is therefor possible for an actor to craft a malicious link by injecting HTML, which is then rendered as the recipient's name within the delivered email template. You are impacted by this vulnerability if you are using `auth0-lock` version `11.32.2` or lower and are using the â€œadditional signup fieldsâ€? feature in your application. Upgrade to version `11.33.0`.

11.33.0
Affected by 0 other vulnerabilities.

VCID-k2s5-kxvv-17hn
Aliases:
CVE-2021-32641
GHSA-jr3j-whm4-9wwm

Cross-site Scripting auth0-lock is Auth0's signin solution. Versions of nauth0-lock before and including `11.30.0` are vulnerable to reflected XSS. An attacker can execute arbitrary code when the library's `flashMessage` feature is utilized and user input or data from URL parameters is incorporated into the `flashMessage` or the library's `languageDictionary` feature is utilized and user input or data from URL parameters is incorporated into the `languageDictionary`.

11.30.1
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
VCID-2r6q-ehzz-6yb4	Cross-site Scripting In auth0-lock `dangerouslySetInnerHTML` is used to update the DOM. When `dangerouslySetInnerHTML` is used, the application and its users might be exposed to cross-site scripting (XSS) attacks.	CVE-2020-15119 GHSA-6gg3-pmm7-97xc

Vulnerability

Summary

Aliases

VCID-2r6q-ehzz-6yb4

Cross-site Scripting In auth0-lock `dangerouslySetInnerHTML` is used to update the DOM. When `dangerouslySetInnerHTML` is used, the application and its users might be exposed to cross-site scripting (XSS) attacks.

CVE-2020-15119
GHSA-6gg3-pmm7-97xc

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-06T01:45:19.707869+00:00	GitLab Importer	Affected by	VCID-fnw8-u5tm-7qfu	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/auth0-lock/CVE-2022-29172.yml	38.6.0
2026-06-06T00:43:52.400747+00:00	GitLab Importer	Affected by	VCID-k2s5-kxvv-17hn	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/auth0-lock/CVE-2021-32641.yml	38.6.0
2026-06-05T21:12:44.744682+00:00	GHSA Importer	Fixing	VCID-2r6q-ehzz-6yb4	https://github.com/advisories/GHSA-6gg3-pmm7-97xc	38.6.0
2026-06-04T17:23:53.393887+00:00	GithubOSV Importer	Fixing	VCID-2r6q-ehzz-6yb4	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/08/GHSA-6gg3-pmm7-97xc/GHSA-6gg3-pmm7-97xc.json	38.6.0