CVE-2019-20174: 
JavaScript vulnerability analysis and mitigation

Auth0 Lock before version 11.21.0 contained a Cross-Site Scripting (XSS) vulnerability when the additionalSignUpFields feature was used with an untrusted placeholder. The vulnerability was discovered by Muhamad Visat and was assigned CVE-2019-20174, with public disclosure on January 30, 2020 (Auth0 Bulletin).

The vulnerability existed in Auth0 Lock version 11.20.4 and earlier versions where the application failed to properly sanitize HTML code. The issue specifically occurred when using the additionalSignUpFields customization option to add a checkbox to the sign-up dialog with a placeholder property obtained from an untrusted source, such as a query parameter. This could lead to potential cross-site scripting attacks. The vulnerability has been assigned a CVSS v3.1 score of 6.1 (Medium) severity (NVD Results).

The vulnerability could allow attackers to execute cross-site scripting (XSS) attacks on sign-up pages where the additionalSignUpFields feature was implemented with untrusted placeholder values. This could potentially lead to unauthorized access to user data or manipulation of the sign-up process (Auth0 Bulletin).

The vulnerability was patched in Auth0 Lock version 11.21.0. The fix introduced two significant changes: the existing placeholder property is now treated as plain text to mitigate the XSS risk, and a new placeholderHTML property was introduced for cases where HTML content from trusted sources is needed. Users are advised to upgrade to version 11.21.0 or later to resolve the vulnerability (Auth0 Bulletin, GitHub Release).