CVE-2021-32641 Information

Jun 07, 2022 cve

Description

auth0-lock is Auth0’s signin solution. Versions of nauth0-lock before and including 11.30.0 are vulnerable to reflected XSS. An attacker can execute arbitrary code when the library’s flashMessage feature is utilized and user input or data from URL parameters is incorporated into the flashMessage or the library’s languageDictionary feature is utilized and user input or data from URL parameters is incorporated into the languageDictionary. The vulnerability is patched in version 11.30.1.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Reference

https://github.com/auth0/lock/commit/d139cf01c8234b07caf265e051f39d3eab08f7ed https://github.com/auth0/lock/releases/tag/v11.30.1 https://github.com/auth0/lock/security/advisories/GHSA-jr3j-whm4-9wwm

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

REQUIRED

Confidentiality Impact

CHANGED

Integrity Impact

LOW

Availability Impact

LOW

Base Score

NONE

Base Severity

6.1

Share on: