Miggo Logo

CVE-2022-29172: Cross-site Scripting in Auth0 Lock

6.1

CVSS Score
3.1

Basic Information

EPSS Score
0.42067%
Published
5/24/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
auth0-locknpm< 11.33.011.33.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unsanitized handling of user input in additional signup fields. The pre-patch version of actions.js directly used c.getFieldValue() without sanitization when processing additionalSignUpFields. The commit diff shows the vulnerable code path was in the signUp function where field values were added to params object without purification. The fix introduced DOMPurify with ALLOWED_TAGS:[] to strip HTML, confirming the vulnerability existed in this function's field processing logic.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Ov*rvi*w In v*rsions ***or* *n* in*lu*in* `**.**.*`, w**n t** “***ition*l si*nup *i*l*s” ***tur* [is *on*i*ur**](*ttps://*it*u*.*om/*ut**/lo*k#***ition*l-si*n-up-*i*l*s), * m*li*ious **tor **n inj**t inv*li**t** *TML *o** into t**s* ***ition*l *

Reasoning

T** vuln*r**ility st*ms *rom uns*nitiz** **n*lin* o* us*r input in ***ition*l si*nup *i*l*s. T** pr*-p*t** v*rsion o* `**tions.js` *ir**tly us** `*.**t*i*l*V*lu*()` wit*out s*nitiz*tion w**n pro**ssin* `***ition*lSi*nUp*i*l*s`. T** *ommit *i** s*ows