{"url":"http://public2.vulnerablecode.io/api/packages/441005?format=json","purl":"pkg:npm/auth0-lock@7.11.0","type":"npm","namespace":"","name":"auth0-lock","version":"7.11.0","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"11.33.0","latest_non_vulnerable_version":"11.33.0","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/40606?format=json","vulnerability_id":"VCID-n1yb-8w3m-gbdw","summary":"auth0-lock vulnerable to XSS via unsanitized placeholder property\n## Overview\n\nAuth0 Lock version 11.20.4 and earlier did not properly sanitize the generated HTML code. Customers using the `additionalSignUpFields` customization option to add a checkbox to the sign-up dialog that are passing a `placeholder` property obtained from an untrusted source (e.g. a query parameter) could allow cross-site scripting (XSS) on their signup pages.\n\n## Am I affected?\n\nYou are affected by this vulnerability if all of the following conditions apply:\n\n- You are using Auth0 Lock version 11.20.4 or earlier.\n- You pass `additionalSignUpFields` as options when initializing Lock which includes a field of type `checkbox` whose `placeholder` value is obtained from an untrusted source.\n\nAn example of a vulnerable snippet is the following where the `placeholder` value is partially user-controlled by the `name` query parameter:\n\n```javascript\n<script>\n    var params = new URLSearchParams(window.location.search);\n    var options = {\n        auth: {\n            redirectUrl: 'http://localhost:12345/callback',\n            responseType: 'code',\n            params: {\n                scope: 'openid email',\n            },\n        },\n        additionalSignUpFields: [{\n            name: 'agree',\n            type: 'checkbox',\n            placeholder: \"I agree to Terms and Conditions for \" + params.get('name'),\n        }],\n    };\n    var lock = new Auth0Lock('<CLIENT_ID>', '<TENANT_NAME>.auth0.com', options);\n    lock.show({\n        allowShowPassword: true,\n        initialScreen: 'signUp',\n    });\n</script>\n```\n\n## How to fix that?\n\nDevelopers using Auth0’s signin solution Lock need to upgrade to version 11.21.0 or later. Version 11.21.0 introduces two changes:\n\n1. The existing `placeholder` property is now treated as plain text to mitigate the problem.\n2. A new `placeholderHTML` property is introduced that indicates the level of control it provides and that it should be only supplied from trusted sources.\n\n## Will this update impact my users?\n\nThis fix patches the Auth0 Lock widget and may require changes in application code, but it will not impact your users, their current state, or any existing sessions.\n\nDevelopers using the `placeholder` property with HTML content from a trusted source should start using the `placeholderHTML` property to continue providing the same user experience.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-20174","reference_id":"","reference_type":"","scores":[{"value":"0.00386","scoring_system":"epss","scoring_elements":"0.60033","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-20174"},{"reference_url":"https://auth0.com/docs/security/bulletins/cve-2019-20174","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://auth0.com/docs/security/bulletins/cve-2019-20174"},{"reference_url":"https://github.com/auth0/lock/commit/6c15e5659c21cd814ea119af5c51b61399598dd5","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/auth0/lock/commit/6c15e5659c21cd814ea119af5c51b61399598dd5"},{"reference_url":"https://github.com/auth0/lock/releases/tag/v11.21.0","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/auth0/lock/releases/tag/v11.21.0"},{"reference_url":"https://github.com/auth0/lock/security/advisories/GHSA-w2pf-g6r8-pg22","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/auth0/lock/security/advisories/GHSA-w2pf-g6r8-pg22"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-20174","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-20174"},{"reference_url":"https://github.com/advisories/GHSA-w2pf-g6r8-pg22","reference_id":"GHSA-w2pf-g6r8-pg22","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-w2pf-g6r8-pg22"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74134?format=json","purl":"pkg:npm/auth0-lock@11.21.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-natq-p2be-13eq"},{"vulnerability":"VCID-s48r-9hr2-kfgb"},{"vulnerability":"VCID-zhe2-2mur-dkhj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/auth0-lock@11.21.0"}],"aliases":["CVE-2019-20174","GHSA-w2pf-g6r8-pg22"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-n1yb-8w3m-gbdw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/44861?format=json","vulnerability_id":"VCID-natq-p2be-13eq","summary":"Reflected XSS when using flashMessages or languageDictionary\n### Overview\n\nVersions before and including `11.30.0` are vulnerable to reflected XSS.  An attacker can execute arbitrary code when the library's\n- `flashMessage` feature is utilized and user input or data from URL parameters is incorporated into the `flashMessage`.\n- `languageDictionary` feature is utilized and user input or data from URL parameters is incorporated into the `languageDictionary`.\n\n### Am I affected?\nYou are affected by this vulnerability if you are using `auth0-lock` version `11.30.0` or lower and all of the following conditions apply:\n\n- You are utilizing `flashMessage` feature.\n- User input or data from URL parameters is incorporated into the `flashMessage`.\n\nAn example of a vulnerable snippet where query parameters are used to populate the `text` property of a `flashMessage`.\n```js\nvar params = new URLSearchParams(location.search);\nvar errorMessage = params.get('error__message');\nvar showParams = {};\n\nif (!!errorMessage === true) {\n  showParams.flashMessage = {\n    type: 'error',\n    text: 'We were unable to log you in. ' + errorMessage,\n  };\n}\n\nlock.show(showParams);\n```\n\nOR\n\n- You are utilizing `languageDictionary` feature.\n- User input or data from URL parameters is used in `languageDictionary` properties.\n\nAn example of a vulnerable snippet where query parameters are used to populate the `socialLoginInstructions` property of a `languageDictionary`.\n```js\nvar params = new URLSearchParams(location.search);\nvar instruction = params.get('instruction');\n\nvar options = {\n  languageDictionary: {\n    emailInputPlaceholder: \"something@youremail.com\",\n    title: \"title\",\n    socialLoginInstructions: instruction\n  },\n};\n\nvar lock = new Auth0LockPasswordless(\n    CLIENT_ID,\n    DOMAIN,\n    options\n);\n\nlock.show()\n```\n\n### How to fix that?\nUpgrade to version `11.30.1`.\n\n### Will this update impact my users?\nThe fix uses [DOMPurify](https://github.com/cure53/DOMPurify) to sanitise the `flashMessage` and `languageDictionary` inputs. If you are including inline JavaScript in these fields, like `script` tags or `onclick` attributes, these will be removed.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-32641","reference_id":"","reference_type":"","scores":[{"value":"0.00793","scoring_system":"epss","scoring_elements":"0.7422","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-32641"},{"reference_url":"https://github.com/auth0/lock/commit/d139cf01c8234b07caf265e051f39d3eab08f7ed","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/auth0/lock/commit/d139cf01c8234b07caf265e051f39d3eab08f7ed"},{"reference_url":"https://github.com/auth0/lock/releases/tag/v11.30.1","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/auth0/lock/releases/tag/v11.30.1"},{"reference_url":"https://github.com/auth0/lock/security/advisories/GHSA-jr3j-whm4-9wwm","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/auth0/lock/security/advisories/GHSA-jr3j-whm4-9wwm"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-32641","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-32641"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/78703?format=json","purl":"pkg:npm/auth0-lock@11.30.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-zhe2-2mur-dkhj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/auth0-lock@11.30.1"}],"aliases":["CVE-2021-32641","GHSA-jr3j-whm4-9wwm"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-natq-p2be-13eq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/40873?format=json","vulnerability_id":"VCID-s48r-9hr2-kfgb","summary":"DOM-based XSS in auth0-lock\n### Overview\nVersions before and including `11.25.1` are using `dangerouslySetInnerHTML` to display an informational message when used with a Passwordless or Enterprise connection.\n\n- For Passwordless connection, the value of the input (email or phone number) is displayed back to the user while waiting for verification code input.  \n- For Enterprise connection, the value of the input (IdP Domain) from the Enterprise connection setup screen (Auth0 Dashboard) is displayed back to the user when the `lock` widget opens.\n\nWhen Passwordless or Enterprise connection is used, the application and its users might be exposed to cross-site scripting (XSS) attacks.\n\n### Am I affected?\nYou are affected by this vulnerability if all of the following conditions apply:\n\n- You are using auth0-lock\n- You are using Passwordless or Enterprise connection mode\n\n### How to fix that?\nUpgrade to version `11.26.3`\n\n### Will this update impact my users?\nThe fix provided in patch will not affect your users.\n\n### Credit\nhttps://github.com/mvisat","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-15119","reference_id":"","reference_type":"","scores":[{"value":"0.00282","scoring_system":"epss","scoring_elements":"0.51832","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-15119"},{"reference_url":"https://github.com/auth0/lock/commit/3711fb5b42afd40073a61a58759251f51e768b1b","reference_id":"","reference_type":"","scores":[{"value":"6.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/auth0/lock/commit/3711fb5b42afd40073a61a58759251f51e768b1b"},{"reference_url":"https://github.com/auth0/lock/security/advisories/GHSA-6gg3-pmm7-97xc","reference_id":"","reference_type":"","scores":[{"value":"6.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/auth0/lock/security/advisories/GHSA-6gg3-pmm7-97xc"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-15119","reference_id":"","reference_type":"","scores":[{"value":"6.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-15119"},{"reference_url":"https://github.com/advisories/GHSA-6gg3-pmm7-97xc","reference_id":"GHSA-6gg3-pmm7-97xc","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6gg3-pmm7-97xc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/454143?format=json","purl":"pkg:npm/auth0-lock@11.26.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-natq-p2be-13eq"},{"vulnerability":"VCID-zhe2-2mur-dkhj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/auth0-lock@11.26.0"},{"url":"http://public2.vulnerablecode.io/api/packages/74433?format=json","purl":"pkg:npm/auth0-lock@11.26.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-natq-p2be-13eq"},{"vulnerability":"VCID-zhe2-2mur-dkhj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/auth0-lock@11.26.3"}],"aliases":["CVE-2020-15119","GHSA-6gg3-pmm7-97xc"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-s48r-9hr2-kfgb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/57445?format=json","vulnerability_id":"VCID-zhe2-2mur-dkhj","summary":"Cross-site Scripting in Auth0 Lock\n### Overview\n\nIn versions before and including `11.32.2`, when the “additional signup fields” feature [is configured](https://github.com/auth0/lock#additional-sign-up-fields), a malicious actor can inject invalidated HTML code into these additional fields, which is then stored in the service `user_metdata` payload (using the `name` property).\n\nVerification emails, when applicable, are generated using this metadata. It is therefor possible for an actor to craft a malicious link by injecting HTML, which is then rendered as the recipient's name within the delivered email template.\n\n### Am I affected?\nYou are impacted by this vulnerability if you are using `auth0-lock` version `11.32.2` or lower and are using the “additional signup fields” feature in your application.\n\n### How to fix that?\nUpgrade to version `11.33.0`.\n\n### Will this update impact my users?\nAdditional signup fields that have been added to the signup tab on Lock will have HTML tags stripped from user input from version `11.33.0` onwards. The user will not receive any validation warning or feedback, but backend data will no longer include HTML.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-29172","reference_id":"","reference_type":"","scores":[{"value":"0.00207","scoring_system":"epss","scoring_elements":"0.43047","published_at":"2026-05-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-29172"},{"reference_url":"https://github.com/auth0/lock","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/auth0/lock"},{"reference_url":"https://github.com/auth0/lock/commit/79ae557d331274b114848150f19832ae341771b1","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:07:48Z/"}],"url":"https://github.com/auth0/lock/commit/79ae557d331274b114848150f19832ae341771b1"},{"reference_url":"https://github.com/auth0/lock/security/advisories/GHSA-7ww6-75fj-jcj7","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-23T14:07:48Z/"}],"url":"https://github.com/auth0/lock/security/advisories/GHSA-7ww6-75fj-jcj7"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-29172","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-29172"},{"reference_url":"https://github.com/advisories/GHSA-7ww6-75fj-jcj7","reference_id":"GHSA-7ww6-75fj-jcj7","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7ww6-75fj-jcj7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/130712?format=json","purl":"pkg:npm/auth0-lock@11.33.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/auth0-lock@11.33.0"}],"aliases":["CVE-2022-29172","GHSA-7ww6-75fj-jcj7"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zhe2-2mur-dkhj"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/auth0-lock@7.11.0"}