6.1

CVSS Score

Basic Information

CVE ID

CVE-2019-20174

GHSA ID

GHSA-w2pf-g6r8-pg22

EPSS Score

CWE

CWE-79

Published

1/31/2020

Updated

9/11/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2019-20174

CVE-2019-20174:
auth0-lock vulnerable to XSS via unsanitized placeholder property

Overview

Auth0 Lock version 11.20.4 and earlier did not properly sanitize the generated HTML code. Customers using the additionalSignUpFields customization option to add a checkbox to the sign-up dialog that are passing a placeholder property obtained from an untrusted source (e.g. a query parameter) could allow cross-site scripting (XSS) on their signup pages.

Am I affected?

You are affected by this vulnerability if all of the following conditions apply:

You are using Auth0 Lock version 11.20.4 or earlier.
You pass additionalSignUpFields as options when initializing Lock which includes a field of type checkbox whose placeholder value is obtained from an untrusted source.

An example of a vulnerable snippet is the following where the placeholder value is partially user-controlled by the name query parameter:

<script>
    var params = new URLSearchParams(window.location.search);
    var options = {
        auth: {
            redirectUrl: 'http://localhost:12345/callback',
            responseType: 'code',
            params: {
                scope: 'openid email',
            },
        },
        additionalSignUpFields: [{
            name: 'agree',
            type: 'checkbox',
            placeholder: "I agree to Terms and Conditions for " + params.get('name'),
        }],
    };
    var lock = new Auth0Lock('<CLIENT_ID>', '<TENANT_NAME>.auth0.com', options);
    lock.show({
        allowShowPassword: true,
        initialScreen: 'signUp',
    });
</script>

How to fix that?

Developers using Auth0’s signin solution Lock need to upgrade to version 11.21.0 or later. Version 11.21.0 introduces two changes:

The existing placeholder property is now treated as plain text to mitigate the problem.
A new placeholderHTML property is introduced that indicates the level of control it provides and that it should be only supplied from trusted sources.

Will this update impact my users?

This fix patches the Auth0 Lock widget and may require changes in application code, but it will not impact your users, their current state, or any existing sessions.

Developers using the placeholder property with HTML content from a trusted source should start using the placeholderHTML property to continue providing the same user experience.

(GitHub Advisory)

6.1

CVSS Score

Basic Information

CVE ID

CVE-2019-20174

GHSA ID

GHSA-w2pf-g6r8-pg22

EPSS Score

CWE

CWE-79

Published

1/31/2020

Updated

9/11/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
auth0-lock	npm	< 11.21.0	11.21.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from two key points: 1) The CheckboxInput component's render method directly injected the 'placeholder' value using React's dangerouslySetInnerHTML without sanitization, making it susceptible to XSS. 2) The options processing logic in processDatabaseOptions did not properly validate that 'placeholder' values for checkbox fields should be treated as plain text. The commit diff shows the fix involved separating placeholder (plain text) and placeholderHTML (explicit HTML) handling, confirming the previous unsafe usage of 'placeholder' with innerHTML.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

## Ov*rvi*w *ut** Lo*k v*rsion **.**.* *n* **rli*r *i* not prop*rly s*nitiz* t** **n*r*t** *TML *o**. *ustom*rs usin* t** `***ition*lSi*nUp*i*l*s` *ustomiz*tion option to *** * ****k*ox to t** si*n-up *i*lo* t**t *r* p*ssin* * `pl****ol**r` prop*rty

Reasoning

T** vuln*r**ility st*ms *rom two k*y points: *) T** ****k*oxInput *ompon*nt's r*n**r m*t*o* *ir**tly inj**t** t** 'pl****ol**r' v*lu* usin* R***t's **n**rouslyS*tInn*r*TML wit*out s*nitiz*tion, m*kin* it sus**pti*l* to XSS. *) T** options pro**ssin*

6.1

Basic Information

Concerned about an active attack path?

CVE-2019-20174: auth0-lock vulnerable to XSS via unsanitized placeholder property

Overview

Am I affected?

How to fix that?

Will this update impact my users?

6.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2019-20174:
auth0-lock vulnerable to XSS via unsanitized placeholder property

Vulnerability Intelligence
Miggo AI