漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
Reflected XSS from the callback handler's error query parameter
Vulnerability Description
The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions before and including `1.4.1` are vulnerable to reflected XSS. An attacker can execute arbitrary code by providing an XSS payload in the `error` query parameter which is then processed by the callback handler as an error message. You are affected by this vulnerability if you are using `@auth0/nextjs-auth0` version `1.4.1` or lower **unless** you are using custom error handling that does not return the error message in an HTML response. Upgrade to version `1.4.1` to resolve. The fix adds basic HTML escaping to the error message and it should not impact your users.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Vulnerability Title
Auth0 跨站脚本漏洞
Vulnerability Description
Auth0是是一个身份验证代理,支持社会和企业身份提供者,包括Active Directory、LDAP、谷歌Apps和Salesforce。 Auth0 Next.js SDK 存在跨站脚本漏洞,该漏洞源于1.4.1及之前版本容易受到反射XSS的影响。攻击者可利用该漏洞可以通过在error查询参数中提供XSS有效负载来执行任意代码,然后由回调处理程序将其作为错误消息处理。
CVSS Information
N/A
Vulnerability Type
N/A