Description
lib/omniauth/failure_endpoint.rb in OmniAuth before 1.9.2 (and before 2.0) does not escape the message_key value.
References (2)
Core 2
Core References
Patch, Third Party Advisory x_refsource_misc
https://github.com/omniauth/omniauth/commit/43a396f181ef7d0ed2ec8291c939c95e3ed3ff00#diff-575abda9deb9b1a77bf534e898a923029b9a61e991d626db88dc6e8b34260aa2
Product x_refsource_misc
https://rubygems.org/gems/omniauth/versions/1.9.2
Scores
CVSS v3
9.8
EPSS
0.0062
EPSS Percentile
70.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-116
Status
published
Products (3)
omniauth/omniauth
2.0.0 pre.rc1
omniauth/omniauth
< 1.9.2
rubygems/omniauth
0 - 1.9.2RubyGems
Published
Aug 18, 2022
Tracked Since
Feb 18, 2026