CVE-2019-16751

MEDIUM

Devise Token Auth 0.1.33-1.1.2 - Unauthenticated Reflected Cross-Site Scripting via Omniauth Failure Message Parameter

Title source: llm
STIX 2.1

Description

An issue was discovered in Devise Token Auth through 1.1.2. The omniauth failure endpoint is vulnerable to Reflected Cross Site Scripting (XSS) through the message parameter. Unauthenticated attackers can craft a URL that executes a malicious JavaScript payload in the victim's browser. This affects the fallback_render method in the omniauth callbacks controller.

References (1)

Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://github.com/lynndylanhurley/devise_token_auth/issues/1332

Scores

CVSS v3 6.1
EPSS 0.0049
EPSS Percentile 65.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (2)
devise_token_auth_project/devise_token_auth 0.1.33 - 1.1.2
rubygems/devise_token_auth 0.1.33 - 1.1.3RubyGems
Published Sep 24, 2019
Tracked Since Feb 18, 2026