Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
HTML injection with additional signup fields
Vulnerability Description
Auth0 is an authentication broker that supports both social and enterprise identity providers, including Active Directory, LDAP, Google Apps, and Salesforce. In versions before `11.33.0`, when the “additional signup fields” feature [is configured](https://github.com/auth0/lock#additional-sign-up-fields), a malicious actor can inject invalidated HTML code into these additional fields, which is then stored in the service `user_metdata` payload (using the `name` property). Verification emails, when applicable, are generated using this metadata. It is therefor possible for an actor to craft a malicious link by injecting HTML, which is then rendered as the recipient's name within the delivered email template. You are impacted by this vulnerability if you are using `auth0-lock` version `11.32.2` or lower and are using the “additional signup fields” feature in your application. Upgrade to version `11.33.0`.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Vulnerability Title
Auth0 跨站脚本漏洞
Vulnerability Description
Auth0是是一个身份验证代理,支持社会和企业身份提供者,包括Active Directory、LDAP、谷歌Apps和Salesforce。 auth0-lock 11.32.2版本及之前版本存在安全漏洞,该漏洞源于当配置了附加注册字段功能时,攻击者可以将无效的 HTML 代码注入这些附加字段,攻击者利用该漏洞可通过注入 HTML 来制作恶意链接,然后在交付的电子邮件模板中将其呈现为收件人的姓名。
CVSS Information
N/A
Vulnerability Type
N/A