Vulnerability Details CVE-2019-16751
An issue was discovered in Devise Token Auth through 1.1.2. The omniauth failure endpoint is vulnerable to Reflected Cross Site Scripting (XSS) through the message parameter. Unauthenticated attackers can craft a URL that executes a malicious JavaScript payload in the victim's browser. This affects the fallback_render method in the omniauth callbacks controller.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.008
EPSS Ranking 72.3%
CVSS Severity
CVSS v3 Score 6.1
CVSS v2 Score 4.3
References
Products affected by CVE-2019-16751
-
cpe:2.3:a:devise_token_auth_project:devise_token_auth:0.1.33
-
cpe:2.3:a:devise_token_auth_project:devise_token_auth:0.1.34
-
cpe:2.3:a:devise_token_auth_project:devise_token_auth:0.1.35
-
cpe:2.3:a:devise_token_auth_project:devise_token_auth:0.1.36
-
cpe:2.3:a:devise_token_auth_project:devise_token_auth:0.1.37
-
cpe:2.3:a:devise_token_auth_project:devise_token_auth:0.1.38
-
cpe:2.3:a:devise_token_auth_project:devise_token_auth:0.1.39
-
cpe:2.3:a:devise_token_auth_project:devise_token_auth:0.1.40
-
cpe:2.3:a:devise_token_auth_project:devise_token_auth:0.1.41
-
cpe:2.3:a:devise_token_auth_project:devise_token_auth:0.1.42
-
cpe:2.3:a:devise_token_auth_project:devise_token_auth:0.1.43
-
cpe:2.3:a:devise_token_auth_project:devise_token_auth:0.2.0
-
cpe:2.3:a:devise_token_auth_project:devise_token_auth:1.0.0
-
cpe:2.3:a:devise_token_auth_project:devise_token_auth:1.1.0
-
cpe:2.3:a:devise_token_auth_project:devise_token_auth:1.1.1
-
cpe:2.3:a:devise_token_auth_project:devise_token_auth:1.1.2