CVE-2019-16751

An issue was discovered in Devise Token Auth through 1.1.2. The omniauth failure endpoint is vulnerable to Reflected Cross Site Scripting (XSS) through the message parameter. Unauthenticated attackers can craft a URL that executes a malicious JavaScript payload in the victim's browser. This affects the fallback_render method in the omniauth callbacks controller.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.1 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 72%
VendorProductVersion
devise_token_auth_projectdevise_token_auth
0.1.33 ≤
𝑥
≤ 1.1.2
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/lynndylanhurley/devise_token_auth/issues/1332
https://github.com/lynndylanhurley/devise_token_auth/issues/1332