An issue was discovered in Devise Token Auth through 1.1.2. The omniauth failure endpoint is vulnerable to Reflected Cross Site Scripting (XSS) through the message parameter. Unauthenticated attackers can craft a URL that executes a malicious JavaScript payload in the victim’s browser. This affects the fallback_render method in the omniauth callbacks controller.
CPE | Name | Operator | Version |
---|---|---|---|
devise_token_auth | ge | 0.1.33 | |
devise_token_auth | le | 1.1.2 |