CVE-2021-32702
HIGH8.0EPSS 0.58%Reflected XSS from the callback handler's error query parameter
Description
### Overview Versions before and including `1.4.1` are vulnerable to reflected XSS. An attacker can execute arbitrary code by providing an XSS payload in the `error` query parameter which is then processed by the callback handler as an error message. ### Am I affected? You are affected by this vulnerability if you are using `@auth0/nextjs-auth0` version `1.4.1` or lower **unless** you are using custom error handling that does not return the error message in an HTML response. ### How to fix that? Upgrade to version `1.4.2`. ### Will this update impact my users? The fix adds basic HTML escaping to the error message and it should not impact your users. ### Credit https://github.com/inian https://github.com/git-ishanpatel
Affected packages (1)
- npm/@auth0/nextjs-auth0from 0, < 1.4.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.0 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N |