CVE-2022-29172
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2022-29172
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-29172.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2022-29172
- Aliases
- Published
- 2022-05-05T22:50:09Z
- Modified
- 2025-11-28T03:41:35.151088Z
- Severity
-
- 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- HTML injection with additional signup fields
- Details
-
Auth0 is an authentication broker that supports both social and enterprise identity providers, including Active Directory, LDAP, Google Apps, and Salesforce. In versions before
11.33.0, when the “additional signup fields” feature is configured, a malicious actor can inject invalidated HTML code into these additional fields, which is then stored in the serviceuser_metdatapayload (using thenameproperty). Verification emails, when applicable, are generated using this metadata. It is therefor possible for an actor to craft a malicious link by injecting HTML, which is then rendered as the recipient's name within the delivered email template. You are impacted by this vulnerability if you are usingauth0-lockversion11.32.2or lower and are using the “additional signup fields” feature in your application. Upgrade to version11.33.0. - Database specific
{ "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-79" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/29xxx/CVE-2022-29172.json" }- References