Rubysec

Providing security resources for the Ruby community.
Follow us @rubysec or email us via info at rubysec.com

Advisory Archive

Back

---
gem: doorkeeper
date: 2018-02-21
url: https://blog.justinbull.ca/cve-2018-1000088-stored-xss-in-doorkeeper/
cve: 2018-1000088
title: Doorkeeper gem has stored XSS on authorization consent view
description: |
  Stored XSS on the OAuth Client's name will cause users being prompted for
  consent via the "implicit" grant type to execute the XSS payload.

  The XSS attack could gain access to the user's active session, resulting in
  account compromise.

  Any user is susceptible if they click the authorization link for the
  malicious OAuth client. Because of how the links work, a user cannot tell if
  a link is malicious or not without first visiting the page with the XSS
  payload.

  If 3rd parties are allowed to create OAuth clients in the app using
  Doorkeeper, upgrade to the patched versions immediately.

  Additionally there is stored XSS in the native_redirect_uri form element.

  DWF has assigned CVE-2018-1000088.
cvss_v3: '7.6'
unaffected_versions:
- "< 2.1.0"
patched_versions:
- ">= 4.2.6"
related:
  url: '["https://github.com/doorkeeper-gem/doorkeeper/issues/969", "https://github.com/doorkeeper-gem/doorkeeper/issues/970"]'