CVE-2021-32641

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2021-32641
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-32641.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-32641
Aliases
Published
2021-06-04T21:15:07.573Z
Modified
2026-03-10T21:47:33.170837Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

auth0-lock is Auth0's signin solution. Versions of nauth0-lock before and including 11.30.0 are vulnerable to reflected XSS. An attacker can execute arbitrary code when the library's flashMessage feature is utilized and user input or data from URL parameters is incorporated into the flashMessage or the library's languageDictionary feature is utilized and user input or data from URL parameters is incorporated into the languageDictionary. The vulnerability is patched in version 11.30.1.

References

Affected packages

Git / github.com/auth0/lock

Affected ranges

Type
GIT
Repo
https://github.com/auth0/lock
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
a2f20d96e7ba443cf2bd0fc20c14f51f51e25717
Fixed
d139cf01c8234b07caf265e051f39d3eab08f7ed
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "11.30.1"
        }
    ]
}

Affected versions

v11.*
v11.22.4
v11.26.1
v11.28.1

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-32641.json"