UBUNTU-CVE-2018-1000088

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2018-1000088

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2018/UBUNTU-CVE-2018-1000088.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2018-1000088

Related

CVE-2018-1000088

Published

2018-03-13T15:29:00Z

Modified

2024-10-15T14:06:22Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

Doorkeeper version 2.1.0 through 4.2.5 contains a Cross Site Scripting (XSS) vulnerability in web view's OAuth app form, user authorization prompt web view that can result in Stored XSS on the OAuth Client's name will cause users interacting with it will execute payload. This attack appear to be exploitable via The victim must be tricked to click an opaque link to the web view that runs the XSS payload. A malicious version virtually indistinguishable from a normal link.. This vulnerability appears to have been fixed in 4.2.6, 4.3.0.

References

Affected packages

Ubuntu:Pro:16.04:LTS / ruby-doorkeeper

Package

Name: ruby-doorkeeper
Purl: pkg:deb/ubuntu/ruby-doorkeeper?arch=src?distro=esm-apps/xenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.2.1-1

2.2.1-1ubuntu0.1~esm1

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:18.04:LTS / ruby-doorkeeper

Package

Name: ruby-doorkeeper
Purl: pkg:deb/ubuntu/ruby-doorkeeper?arch=src?distro=bionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.3.1-1

Affected versions

4.*

4.2.0-3

Ecosystem specific

{
    "availability": "No subscription required",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "binary_version": "4.3.1-1",
            "binary_name": "ruby-doorkeeper"
        }
    ]
}