An issue was discovered in Devise Token Auth through 1.1.2. The omniauth failure endpoint is vulnerable to Reflected Cross Site Scripting (XSS) through the message parameter. Unauthenticated attackers can craft a URL that executes a malicious JavaScript payload in the victim's browser. This affects the fallback_render method in the omniauth callbacks controller.
References
Link | Resource |
---|---|
https://github.com/lynndylanhurley/devise_token_auth/issues/1332 | Exploit Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2019-09-24T17:14:08
Updated: 2019-09-24T17:14:08
Reserved: 2019-09-24T00:00:00
Link: CVE-2019-16751
JSON object: View
NVD Information
Status : Analyzed
Published: 2019-09-24T18:15:11.030
Modified: 2019-09-25T14:03:53.913
Link: CVE-2019-16751
JSON object: View
Redhat Information
No data.
CWE