An issue was discovered in Devise Token Auth through 1.1.2. The omniauth failure endpoint is vulnerable to Reflected Cross Site Scripting (XSS) through the message parameter. Unauthenticated attackers can craft a URL that executes a malicious JavaScript payload in the victim's browser. This affects the fallback_render method in the omniauth callbacks controller.

References

• https://nvd.nist.gov/vuln/detail/CVE-2019-16751
• lynndylanhurley/devise_token_auth#1332
• https://github.com/rubysec/ruby-advisory-db/blob/master/gems/devise_token_auth/CVE-2019-16751.yml