Severity: low

DOM-based XSS



Versions before and including 11.25.1 are using dangerouslySetInnerHTML to display an informational message when used with a Passwordless or Enterprise connection.

For Passwordless connection, the value of the input (email or phone number) is displayed back to the user while waiting for verification code input.

For Enterprise connection, the value of the input (IdP Domain) from the Enterprise connection setup screen (Auth0 Dashboard) is displayed back to the user when the lock widget opens. When Passwordless or Enterprise connection is used, the application and its users might be exposed to cross-site scripting (XSS) attacks.

You are affected by this vulnerability if all of the following conditions apply:

  • You are using auth0-lock
  • You are using Passwordless or Enterprise connection mode


Upgrade to version 11.26.3.


Have content suggestions? Send them to [email protected]

Advisory timeline

  1. published

    Advisory Published
    Aug 19th, 2020
  2. reported

    Reported by Muhamad Visat
    Aug 19th, 2020