Lucene search

MitreCVE-2019-16751

HistorySep 24, 2019 - 6:15 p.m.

CVE-2019-16751

2019-09-2418:15:11

CWE-79

mitre

web.nvd.nist.gov

cve-2019-16751

devise token auth

xss

omniauth

security vulnerability

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

37.4%

JSON

An issue was discovered in Devise Token Auth through 1.1.2. The omniauth failure endpoint is vulnerable to Reflected Cross Site Scripting (XSS) through the message parameter. Unauthenticated attackers can craft a URL that executes a malicious JavaScript payload in the victim’s browser. This affects the fallback_render method in the omniauth callbacks controller.

Affected configurations

Nvd

Node

devise_token_auth_projectdevise_token_authRange0.1.33–1.1.2

VendorProductVersionCPE
devise_token_auth_projectdevise_token_auth*cpe:2.3:a:devise_token_auth_project:devise_token_auth:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
devise_token_auth_project	devise_token_auth	*	cpe:2.3:a:devise_token_auth_project:devise_token_auth::::::::

References

github.com/lynndylanhurley/devise_token_auth/issues/1332

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

37.4%

JSON

Related for CVE-2019-16751