GHSA-mvqr-r76c-wm5f

Suggest an improvement
Source
https://github.com/advisories/GHSA-mvqr-r76c-wm5f
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-mvqr-r76c-wm5f/GHSA-mvqr-r76c-wm5f.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-mvqr-r76c-wm5f
Aliases
Published
2022-05-24T16:56:43Z
Modified
2023-11-01T04:50:39.567955Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
Devise Token Auth vulnerable to Cross-site Scripting
Details

An issue was discovered in Devise Token Auth through 1.1.2. The omniauth failure endpoint is vulnerable to Reflected Cross Site Scripting (XSS) through the message parameter. Unauthenticated attackers can craft a URL that executes a malicious JavaScript payload in the victim's browser. This affects the fallback_render method in the omniauth callbacks controller.

Database specific
{
    "nvd_published_at": "2019-09-24T18:15:00Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-03-08T19:56:02Z"
}
References

Affected packages

RubyGems / devise_token_auth

Package

Name
devise_token_auth
Purl
pkg:gem/devise_token_auth

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0.1.33
Fixed
1.1.3

Affected versions

0.*

0.1.33
0.1.34
0.1.35
0.1.36
0.1.37.beta1
0.1.37.beta2
0.1.37.beta3
0.1.37.beta4
0.1.37
0.1.38
0.1.39
0.1.40
0.1.41
0.1.42
0.1.43.beta1
0.1.43
0.2.0

1.*

1.0.0.rc1
1.0.0.rc2
1.0.0
1.1.0
1.1.1
1.1.2