CVE-2022-29172— Auth0 跨站脚本漏洞

HTML injection with additional signup fields

Auth0 is an authentication broker that supports both social and enterprise identity providers, including Active Directory, LDAP, Google Apps, and Salesforce. In versions before `11.33.0`, when the “additional signup fields” feature [is configured](https://github.com/auth0/lock#additional-sign-up-fields), a malicious actor can inject invalidated HTML code into these additional fields, which is then stored in the service `user_metdata` payload (using the `name` property). Verification emails, when applicable, are generated using this metadata. It is therefor possible for an actor to craft a malicious link by injecting HTML, which is then rendered as the recipient's name within the delivered email template. You are impacted by this vulnerability if you are using `auth0-lock` version `11.32.2` or lower and are using the “additional signup fields” feature in your application. Upgrade to version `11.33.0`.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

在Web页面生成时对输入的转义处理不恰当(跨站脚本)

Auth0 跨站脚本漏洞

Auth0是是一个身份验证代理，支持社会和企业身份提供者，包括Active Directory、LDAP、谷歌Apps和Salesforce。 auth0-lock 11.32.2版本及之前版本存在安全漏洞，该漏洞源于当配置了附加注册字段功能时，攻击者可以将无效的 HTML 代码注入这些附加字段，攻击者利用该漏洞可通过注入 HTML 来制作恶意链接，然后在交付的电子邮件模板中将其呈现为收件人的姓名。

N/A

N/A