CVE-2019-20174: Security Update for Auth0 Lock Library
Published: January 30, 2020
CVE number: CVE-2019-20174
Credit: Muhamad Visat
Overview
Auth0 Lock version 11.20.4 and earlier did not properly sanitize the generated HTML code. Customers using the additionalSignUpFields
customization option to add a checkbox to the sign-up dialog who are passing a placeholder
property obtained from an untrusted source (e.g., a query parameter) could allow cross-site scripting (XSS) on their sign-up pages.
Am I affected?
You are affected by this vulnerability if all of the following conditions apply:
You are using Auth0 Lock version 11.20.4 or earlier.
You pass
additionalSignUpFields
as an option when initializing Lock, and it includes a field of typecheckbox
with aplaceholder
value obtained from an untrusted source.
An example of a vulnerable snippet is the following where the placeholder
value is partially user-controlled by the name
query parameter:
<script>
var params = new URLSearchParams(window.location.search);
var options = {
auth: {
redirectUrl: 'http://localhost:12345/callback',
responseType: 'code',
params: {
scope: 'openid email',
},
},
additionalSignUpFields: [{
name: 'agree',
type: 'checkbox',
placeholder: "I agree to Terms & Conditions for " + params.get('name'),
}],
};
var lock = new Auth0Lock('<CLIENT_ID>', '<TENANT_NAME>.auth0.com', options);
lock.show({
allowShowPassword: true,
initialScreen: 'signUp',
});
</script>
Was this helpful?
How to fix that?
Developers using Auth0’s Lock sign-in solution need to upgrade to version 11.21.0 or later. Version 11.21.0 introduces two changes:
The existing
placeholder
property is now treated as plain text to mitigate the problem.A new
placeholderHTML
property is introduced that indicates the level of control it provides and that its value should be supplied only from trusted sources.
Will this update impact my users?
This fix patches the Auth0 Lock widget and may require changes in application code, but it will not impact your users, their current state, or any existing sessions.
Developers using the placeholder
property with HTML content from a trusted source should start using the placeholderHTML
property to continue providing the same user experience.