CVE-2021-32702
Summary
| CVE | CVE-2021-32702 |
|---|
| State | PUBLIC |
|---|
| Assigner | [email protected] |
|---|
| Source Priority | CVE Program / NVD first with legacy fallback |
|---|
| Published | 2021-06-25 17:15:00 UTC |
|---|
| Updated | 2023-11-07 03:35:00 UTC |
|---|
| Description | The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions before and including `1.4.1` are vulnerable to reflected XSS. An attacker can execute arbitrary code by providing an XSS payload in the `error` query parameter which is then processed by the callback handler as an error message. You are affected by this vulnerability if you are using `@auth0/nextjs-auth0` version `1.4.1` or lower **unless** you are using custom error handling that does not return the error message in an HTML response. Upgrade to version `1.4.1` to resolve. The fix adds basic HTML escaping to the error message and it should not impact your users. |
|---|
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|
| Application |
Auth0 |
Nextjs-auth0 |
All |
All |
All |
All |
References
| Reference | Source | Link | Tags |
|---|
| @auth0/nextjs-auth0 - npm |
MISC |
www.npmjs.com |
|
| Reflected XSS from the callback handler's error query parameter · Advisory · auth0/nextjs-auth0 · GitHub |
CONFIRM |
github.com |
|
| Merge pull request from GHSA-954c-jjx6-cxv7 · auth0/nextjs-auth0@6996e25 · GitHub |
MISC |
github.com |
|
| @auth0/nextjs-auth0 - npm |
|
www.npmjs.com |
|
| CVE Program record |
CVE.ORG |
www.cve.org |
canonical |
| NVD vulnerability detail |
NVD |
nvd.nist.gov |
canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 982045 Nodejs (npm) Security Update for @auth0/nextjs-auth0 (GHSA-954c-jjx6-cxv7)
