CVE-2022-29172

Description

### Overview In versions before and including `11.32.2`, when the “additional signup fields” feature [is configured](https://github.com/auth0/lock#additional-sign-up-fields), a malicious actor can inject invalidated HTML code into these additional fields, which is then stored in the service `user_metdata` payload (using the `name` property). Verification emails, when applicable, are generated using this metadata. It is therefor possible for an actor to craft a malicious link by injecting HTML, which is then rendered as the recipient's name within the delivered email template. ### Am I affected? You are impacted by this vulnerability if you are using `auth0-lock` version `11.32.2` or lower and are using the “additional signup fields” feature in your application. ### How to fix that? Upgrade to version `11.33.0`. ### Will this update impact my users? Additional signup fields that have been added to the signup tab on Lock will have HTML tags stripped from user input from version `11.33.0` onwards. The user will not receive any validation warning or feedback, but backend data will no longer include HTML.

How to fix CVE-2022-29172

To remediate CVE-2022-29172, upgrade the affected package to a fixed version below.

• —upgrade to 11.33.0 or later

Is CVE-2022-29172 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 11.33.0

CVSS scores

References (4)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-29172
• PATCHgithub.com/auth0/lock
• WEBgithub.com/auth0/lock/commit/79ae557d331274b114848150f19832ae341771b1
• WEBgithub.com/auth0/lock/security/advisories/GHSA-7ww6-75fj-jcj7