CVE-2018-1000088

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2018-1000088
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-1000088.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2018-1000088
Aliases
Downstream
Published
2018-03-13T15:29:01.300Z
Modified
2026-04-10T04:03:18.969241Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

Doorkeeper version 2.1.0 through 4.2.5 contains a Cross Site Scripting (XSS) vulnerability in web view's OAuth app form, user authorization prompt web view that can result in Stored XSS on the OAuth Client's name will cause users interacting with it will execute payload. This attack appear to be exploitable via The victim must be tricked to click an opaque link to the web view that runs the XSS payload. A malicious version virtually indistinguishable from a normal link.. This vulnerability appears to have been fixed in 4.2.6, 4.3.0.

References

Affected packages

Git / github.com/doorkeeper-gem/doorkeeper

Affected ranges

Type
GIT
Repo
https://github.com/doorkeeper-gem/doorkeeper
Events
Introduced
1415013c652009340717d173dcb72bf6d2d119b5
Last affected
23a02a807cbe6a1bd94aa660a440cb158cad6184
Fixed
644d2ceb41411b9b320a6c8ee769762b37deba01
Database specific 
{
    "versions": [
        {
            "introduced": "2.1.0"
        },
        {
            "last_affected": "4.2.5"
        }
    ]
}

Affected versions

v2.*
v2.1.0
v2.1.1
v2.1.2
v2.1.3
v2.1.4
v2.2.0
v2.2.1
v3.*
v3.0.0
v3.0.0.rc1
v3.0.0.rc2
v3.0.1
v4.*
v4.0.0
v4.0.0.rc1
v4.0.0.rc2
v4.0.0.rc3
v4.0.0.rc4
v4.1.0
v4.2.0
v4.2.5
v4.2.6

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-1000088.json"