auth0-lock
npm4 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting auth0-lockpage 1 of 1
- CVE-2019-20174MEDIUMCVSS 6.1EG 6.1✓ Fixed in 11.21.02020-02-03
Auth0 Lock before 11.21.0 allows XSS when additionalSignUpFields is used with an untrusted placeholder.
- CVE-2020-15119MEDIUMCVSS 6.4EG 6.4✓ Fixed in 11.26.32020-08-20
In auth0-lock versions before and including 11.25.1, dangerouslySetInnerHTML is used to update the DOM. When dangerouslySetInnerHTML is used, the application and its users might be exposed to cross-site scripting (XSS) attacks.
- CVE-2021-32641HIGHCVSS 8.1EG 8.1✓ Fixed in 11.30.12021-06-04
auth0-lock is Auth0's signin solution. Versions of nauth0-lock before and including `11.30.0` are vulnerable to reflected XSS. An attacker can execute arbitrary code when the library's `flashMessage` feature is utilized and user input or d…
- CVE-2022-29172MEDIUMCVSS 6.1EG 6.1✓ Fixed in 11.33.02022-05-05
Auth0 is an authentication broker that supports both social and enterprise identity providers, including Active Directory, LDAP, Google Apps, and Salesforce. In versions before `11.33.0`, when the “additional signup fields” feature [is…
Check whether auth0-lock is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for auth0-lock CVEs against the assets you own.
Start Free Scan →