CVE-2021-32702
HIGH8.0EPSS 0.58%Reflected XSS from the callback handler's error query parameter
描述
### Overview Versions before and including `1.4.1` are vulnerable to reflected XSS. An attacker can execute arbitrary code by providing an XSS payload in the `error` query parameter which is then processed by the callback handler as an error message. ### Am I affected? You are affected by this vulnerability if you are using `@auth0/nextjs-auth0` version `1.4.1` or lower **unless** you are using custom error handling that does not return the error message in an HTML response. ### How to fix that? Upgrade to version `1.4.2`. ### Will this update impact my users? The fix adds basic HTML escaping to the error message and it should not impact your users. ### Credit https://github.com/inian https://github.com/git-ishanpatel
受影響套件(1)
- npm/@auth0/nextjs-auth0from 0, < 1.4.2
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.0 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N |