logo

Database

Reflected cross-site scripting (XSS) In devise_token_auth

Description

Devise Token Auth vulnerable to Cross-site Scripting An issue was discovered in Devise Token Auth through 1.1.2. The omniauth failure endpoint is vulnerable to Reflected Cross Site Scripting (XSS) through the message parameter. Unauthenticated attackers can craft a URL that executes a malicious JavaScript payload in the victim's browser. This affects the fallback_render method in the omniauth callbacks controller.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2019-167512. NVD-2019-167513. OSV-2019-167514. GCVE-2019-16751

References

1. https://github.com/lynndylanhurley/devise_token_auth/issues/13322. https://github.com/rubysec/ruby-advisory-db/blob/master/gems/devise_token_auth/CVE-2019-16751.yml

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.