Reflected XSS from the callback handler's error query parameter
CVE-2021-32702

8HIGH

Key Information:

Vendor

Auth0

Status
Nextjs-auth0
Vendor
CVE Published:
25 June 2021

What is CVE-2021-32702?

The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions before and including 1.4.1 are vulnerable to reflected XSS. An attacker can execute arbitrary code by providing an XSS payload in the error query parameter which is then processed by the callback handler as an error message. You are affected by this vulnerability if you are using @auth0/nextjs-auth0 version 1.4.1 or lower unless you are using custom error handling that does not return the error message in an HTML response. Upgrade to version 1.4.1 to resolve. The fix adds basic HTML escaping to the error message and it should not impact your users.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

nextjs-auth0 < 1.4.2

References

https://github.com/auth0/nextjs-auth0/security/advisories...
x_refsource_CONFIRM
https://github.com/auth0/nextjs-auth0/commit/6996e2528cee...
x_refsource_MISC
https://www.npmjs.com/package/%40auth0/nextjs-auth0
x_refsource_MISC

CVSS V3.1

Score:
8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.