Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add CVE-2018-1000088 #328

Merged
merged 6 commits into from Feb 27, 2018
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
39 changes: 39 additions & 0 deletions gems/doorkeeper/CVE-2018-1000088.yml
@@ -0,0 +1,39 @@
---
gem: doorkeeper
cve: 2018-1000088
date: 2018-02-21
url: "https://blog.justinbull.ca/cve-2018-1000088-stored-xss-in-doorkeeper/"

title: Doorkeeper gem has stored XSS on authorization consent view

description: |
Stored XSS on the OAuth Client's name will cause users being prompted for
consent via the "implicit" grant type to execute the XSS payload.

The XSS attack could gain access to the user's active session, resulting in
account compromise.

Any user is susceptible if they click the authorization link for the
malicious OAuth client. Because of how the links work, a user cannot tell if
a link is malicious or not without first visiting the page with the XSS
payload.

If 3rd parties are allowed to create OAuth clients in the app using
Doorkeeper, upgrade to the patched versions immediately.

Additionally there is stored XSS in the native_redirect_uri form element.

DWF has assigned CVE-2018-1000088.

cvss_v3: 7.6

unaffected_versions:
- "< 2.1.0"

patched_versions:
- ">= 4.2.6"

related:
url:
- https://github.com/doorkeeper-gem/doorkeeper/issues/969
- https://github.com/doorkeeper-gem/doorkeeper/issues/970