CVE-2022-29172: 
JavaScript vulnerability analysis and mitigation

CVE-2022-29172 affects Auth0, an authentication broker that supports various identity providers including Active Directory, LDAP, Google Apps, and Salesforce. The vulnerability was discovered in versions before 11.33.0 of the auth0-lock package, specifically affecting installations using the 'additional signup fields' feature. The issue was disclosed on May 5, 2022, and was patched in version 11.33.0 (GitHub Advisory).

The vulnerability allows malicious actors to inject invalidated HTML code into additional signup fields, which is then stored in the service user_metadata payload using the name property. When verification emails are generated using this metadata, the injected HTML code is rendered as the recipient's name within the delivered email template. The vulnerability has been assigned a CVSS 3.1 Base Score of 6.1 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (NVD).

The vulnerability could allow attackers to inject malicious HTML code that would be rendered in verification emails sent to users. This could potentially be used for phishing attacks or other malicious purposes by exploiting the trust users place in official verification emails from the Auth0 service (GitHub Advisory).

The recommended mitigation is to upgrade to auth0-lock version 11.33.0 or later. In the patched version, HTML tags are automatically stripped from user input in additional signup fields. The update implements DOMPurify sanitization to prevent HTML injection, with no HTML tags being allowed in the sanitized output (GitHub Commit).