CVE-2022-29172: Cross-site Scripting in Auth0 Lock
6.1
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.42067%
CWE
Published
5/24/2022
Updated
1/27/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
auth0-lock | npm | < 11.33.0 | 11.33.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from unsanitized handling of user input in additional signup fields. The pre-patch version of actions.js
directly used c.getFieldValue()
without sanitization when processing additionalSignUpFields
. The commit diff shows the vulnerable code path was in the signUp
function where field values were added to params
object without purification. The fix introduced DOMPurify
with ALLOWED_TAGS:[]
to strip HTML, confirming the vulnerability existed in this function's field processing logic.