An issue was discovered in Devise Token Auth through 1.1.2. The omniauth failure endpoint is vulnerable to Reflected Cross Site Scripting (XSS) through the message parameter. Unauthenticated attackers can craft a URL that executes a malicious JavaScript payload in the victim's browser. This affects the fallback_render method in the omniauth callbacks controller.
{
"cpe": "cpe:2.3:a:devise_token_auth_project:devise_token_auth:*:*:*:*:*:*:*:*",
"extracted_events": [
{
"introduced": "0.1.33"
},
{
"last_affected": "1.1.2"
}
],
"source": "CPE_RANGE"
}