CVE-2021-32641
Summary
| CVE | CVE-2021-32641 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2021-06-04 21:15:00 UTC |
| Updated | 2021-06-16 15:42:00 UTC |
| Description | auth0-lock is Auth0's signin solution. Versions of nauth0-lock before and including `11.30.0` are vulnerable to reflected XSS. An attacker can execute arbitrary code when the library's `flashMessage` feature is utilized and user input or data from URL parameters is incorporated into the `flashMessage` or the library's `languageDictionary` feature is utilized and user input or data from URL parameters is incorporated into the `languageDictionary`. The vulnerability is patched in version 11.30.1. |
Risk And Classification
Problem Types: CWE-79
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Reflected XSS when using flashMessages or languageDictionary · Advisory · auth0/lock · GitHub | CONFIRM | github.com | |
| Release v11.30.1 · auth0/lock · GitHub | MISC | github.com | |
| Merge pull request from GHSA-jr3j-whm4-9wwm · auth0/lock@d139cf0 · GitHub | MISC | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 982357 Nodejs (npm) Security Update for auth0-lock (GHSA-jr3j-whm4-9wwm)