> ## Documentation Index
> Fetch the complete documentation index at: https://auth0.com/llms.txt
> Use this file to discover all available pages before exploring further.

> CVE-2020-15119: Security Update for Auth0 Lock Library

# CVE-2020-15119: Security Update for Auth0 Lock Library

**Published**: August 16, 2020

**CVE number**: CVE-2020-15119

**Credit**: [Muhamad Visat](https://github.com/mvisat)

## Overview

Versions before and including `11.25.1` are using `dangerouslySetInnerHTML` to display an informational message when used with a <Tooltip tip="Passwordless: Form of authentication that does not rely on a password as the first factor." cta="View Glossary" href="/docs/glossary?term=Passwordless">Passwordless</Tooltip> or Enterprise connection.

* For a Passwordless connection, the value of the input (email or phone number) is displayed back to the user while waiting for verification code input.
* For an Enterprise connection, the value of the input (<Tooltip tip="Identity Provider (IdP): Service that stores and manages digital identities." cta="View Glossary" href="/docs/glossary?term=IdP">IdP</Tooltip> Domain) from the Enterprise connection setup screen (<Tooltip tip="Auth0 Dashboard: Auth0's main product to configure your services." cta="View Glossary" href="/docs/glossary?term=Auth0+Dashboard">Auth0 Dashboard</Tooltip>) is displayed back to the user when the Lock widget opens.

When a Passwordless or Enterprise connection is used, the application and its users might be exposed to cross-site scripting (XSS) attacks.

## Am I affected?

You are affected by this vulnerability if all of the following conditions apply:

* You are using `auth0-lock`
* You are using Passwordless or Enterprise connection mode

## How to fix that?

Upgrade to version `11.26.3`.

### Will this update impact my users?

The fix provided in the patch will not affect your users.