Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1tdnFyLXI3NmMtd201Zs4AAiIZ
Devise Token Auth vulnerable to Cross-site Scripting
An issue was discovered in Devise Token Auth through 1.1.2. The omniauth failure endpoint is vulnerable to Reflected Cross Site Scripting (XSS) through the message parameter. Unauthenticated attackers can craft a URL that executes a malicious JavaScript payload in the victim's browser. This affects the fallback_render
method in the omniauth callbacks controller.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tdnFyLXI3NmMtd201Zs4AAiIZ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: 10 months ago
CVSS Score: 6.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-mvqr-r76c-wm5f, CVE-2019-16751
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-16751
- https://github.com/lynndylanhurley/devise_token_auth/issues/1332
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/devise_token_auth/CVE-2019-16751.yml
- https://github.com/advisories/GHSA-mvqr-r76c-wm5f
Blast Radius: 20.7
Affected Packages
rubygems:devise_token_auth
Dependent packages: 10Dependent repositories: 2,512
Downloads: 7,985,994 total
Affected Version Ranges: >= 0.1.33, < 1.1.3
Fixed in: 1.1.3
All affected versions: 0.1.33, 0.1.34, 0.1.35, 0.1.36, 0.1.37, 0.1.38, 0.1.39, 0.1.40, 0.1.41, 0.1.42, 0.1.43, 0.2.0, 1.0.0, 1.1.0, 1.1.1, 1.1.2
All unaffected versions: 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.1.7, 0.1.8, 0.1.9, 0.1.10, 0.1.11, 0.1.12, 0.1.13, 0.1.14, 0.1.15, 0.1.16, 0.1.17, 0.1.18, 0.1.20, 0.1.23, 0.1.24, 0.1.25, 0.1.26, 0.1.27, 0.1.28, 0.1.29, 0.1.30, 0.1.31, 0.1.32, 1.1.3, 1.1.4, 1.1.5, 1.2.0, 1.2.1, 1.2.2