CVE-2022-29172 is a cross-site scripting (XSS) vulnerability affecting the Auth0 Lock library, a widely used authentication broker that integrates with multiple identity providers such as Active Directory, LDAP, Google Apps, and Salesforce. Specifically, versions of Auth0 Lock prior to 11.33.0 that utilize the “additional signup fields” feature are vulnerable. This feature allows applications to collect extra user information during signup, which is stored in the user_metadata payload under the 'name' property. The vulnerability arises because the input provided in these additional signup fields is not properly sanitized or neutralized before being embedded into verification emails sent to users. An attacker can inject malicious HTML or JavaScript code into these fields, which then gets stored and subsequently rendered in the email template as the recipient's name. When the victim opens the verification email, the malicious script executes in the context of the email client, potentially leading to theft of sensitive information, session hijacking, or other malicious actions depending on the email client’s capabilities and security controls. Exploitation does not require authentication but does require the attacker to submit crafted input during signup. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) and is rated medium severity by the vendor. No known exploits have been reported in the wild as of the publication date. The recommended remediation is to upgrade Auth0 Lock to version 11.33.0 or later, where input sanitization for additional signup fields has been implemented to prevent injection of malicious code.

For European organizations using Auth0 Lock versions prior to 11.33.0 with the additional signup fields feature enabled, this vulnerability poses a risk to the confidentiality and integrity of user communications. Attackers could craft malicious signup data that results in execution of scripts within verification emails, potentially compromising user credentials or session tokens if the email client is vulnerable to script execution. This could lead to unauthorized access to user accounts, data leakage, or further phishing attacks leveraging trusted email communications. The impact is particularly significant for organizations handling sensitive personal or financial data, such as banks, healthcare providers, and government services. Since Auth0 is commonly used by enterprises for identity management, exploitation could affect large user bases. However, the attack requires the attacker to register or sign up with malicious input, which may limit the scope to externally facing applications that allow open registration. The vulnerability does not directly affect availability but could indirectly impact user trust and service reputation if exploited. Given the medium severity and lack of known exploits, the immediate risk is moderate but warrants prompt remediation to prevent potential targeted attacks.

1. Upgrade Auth0 Lock to version 11.33.0 or later immediately to ensure proper input sanitization in additional signup fields. 2. Review and restrict the use of additional signup fields to only those necessary, minimizing the attack surface. 3. Implement server-side validation and sanitization of all user-supplied input before storage or rendering, even if the library claims to handle it. 4. Monitor verification email templates and logs for unusual or unexpected HTML content that could indicate attempted injection. 5. Educate users to be cautious with verification emails and consider using email clients that disable script execution or render emails in plain text. 6. Employ Content Security Policy (CSP) headers where applicable to limit script execution in webmail interfaces. 7. Conduct regular security assessments of authentication workflows and email generation processes to detect similar injection flaws. 8. If upgrading immediately is not feasible, consider disabling the additional signup fields feature temporarily to eliminate the vector.