CVE-2019-16751

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2019-16751

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-16751.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2019-16751

Aliases

GHSA-mvqr-r76c-wm5f

Published

2019-09-24T18:15:11Z

Modified

2024-05-14T06:55:45.866127Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

An issue was discovered in Devise Token Auth through 1.1.2. The omniauth failure endpoint is vulnerable to Reflected Cross Site Scripting (XSS) through the message parameter. Unauthenticated attackers can craft a URL that executes a malicious JavaScript payload in the victim's browser. This affects the fallback_render method in the omniauth callbacks controller.

References

https://github.com/lynndylanhurley/devise_token_auth/issues/1332

Affected packages

Git / github.com/lynndylanhurley/devise_token_auth

Affected ranges

Type: GIT
Repo: https://github.com/lynndylanhurley/devise_token_auth
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

b6915aa1bd12e28236ef6e9821a29fba5c5039d2

Affected versions

v0.*

v0.1.0

v0.1.1

v0.1.10

v0.1.11

v0.1.12

v0.1.13

v0.1.14

v0.1.15

v0.1.16

v0.1.17

v0.1.2

v0.1.20

v0.1.22

v0.1.23

v0.1.24

v0.1.25

v0.1.26

v0.1.26.beta1

v0.1.26.beta3

v0.1.27

v0.1.27.beta3

v0.1.28

v0.1.28.beta2

v0.1.28.beta3

v0.1.28.beta5

v0.1.28.beta6

v0.1.28.beta7

v0.1.28.beta8

v0.1.29

v0.1.29.beta1

v0.1.29.beta2

v0.1.29.beta3

v0.1.29.beta4

v0.1.29.beta5

v0.1.29.beta6

v0.1.29.beta7

v0.1.3

v0.1.30

v0.1.30.beta2

v0.1.30.beta3

v0.1.30.beta4

v0.1.30.beta5

v0.1.30.beta6

v0.1.31

v0.1.31.beta1

v0.1.31.beta10

v0.1.31.beta2

v0.1.31.beta3

v0.1.31.beta4

v0.1.31.beta5

v0.1.31.beta6

v0.1.31.beta7

v0.1.31.beta8

v0.1.31.beta9

v0.1.32

v0.1.32.beta1

v0.1.32.beta2

v0.1.32.beta3

v0.1.32.beta4

v0.1.32.beta5

v0.1.32.beta6

v0.1.32.beta7

v0.1.32.beta8

v0.1.32.beta9

v0.1.33

v0.1.34

v0.1.35

v0.1.36

v0.1.37

v0.1.37.beta1

v0.1.37.beta2

v0.1.37.beta3

v0.1.37.beta4

v0.1.38

v0.1.39

v0.1.4

v0.1.40

v0.1.41

v0.1.42

v0.1.43

v0.1.43.beta1

v0.1.5

v0.1.6

v0.1.7

v0.1.8

v0.1.9

v1.*

v1.0.0

v1.0.0rc1

v1.0.0rc2

v1.1.0

v1.1.1

v1.1.2