{"id":"CVE-2019-16751","details":"An issue was discovered in Devise Token Auth through 1.1.2. The omniauth failure endpoint is vulnerable to Reflected Cross Site Scripting (XSS) through the message parameter. Unauthenticated attackers can craft a URL that executes a malicious JavaScript payload in the victim's browser. This affects the fallback_render method in the omniauth callbacks controller.","aliases":["GHSA-mvqr-r76c-wm5f"],"modified":"2026-04-11T20:52:27.388573Z","published":"2019-09-24T18:15:11.030Z","references":[{"type":"EVIDENCE","url":"https://github.com/lynndylanhurley/devise_token_auth/issues/1332"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/lynndylanhurley/devise_token_auth","events":[{"introduced":"c11dd18c4cc9a78ab60cd668f06cfd5b2d13e4ec"},{"last_affected":"b6915aa1bd12e28236ef6e9821a29fba5c5039d2"}],"database_specific":{"cpe":"cpe:2.3:a:devise_token_auth_project:devise_token_auth:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"0.1.33"},{"last_affected":"1.1.2"}],"source":"CPE_FIELD"}}],"versions":["v0.1.33","v0.1.34","v0.1.35","v0.1.36","v0.1.37","v0.1.37.beta1","v0.1.37.beta2","v0.1.37.beta3","v0.1.37.beta4","v0.1.38","v0.1.39","v0.1.40","v0.1.41","v0.1.42","v0.1.43","v0.1.43.beta1","v1.0.0","v1.0.0rc1","v1.0.0rc2","v1.1.0","v1.1.1","v1.1.2"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-16751.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}