Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2020-36599

lib/omniauth/failure_endpoint.rb in OmniAuth before 1.9.2 (and before 2.0) does not escape the message_key value.

Published

2022-08-18T23:15:08.187

Last Modified

2024-11-21T05:29:51.683

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 9.8 (CRITICAL)

Weaknesses

Type: Primary
CWE-116

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	omniauth	omniauth	< 1.9.2	Yes
Application	omniauth	omniauth	2.0.0	Yes

References

https://github.com/omniauth/omniauth/commit/43a396f181ef7d0ed2ec8291c939c95e3ed3ff00#diff-575abda9deb9b1a77bf534e898a923029b9a61e991d626db88dc6e8b34260aa2 Patch, Third Party Advisory ([email protected])
https://rubygems.org/gems/omniauth/versions/1.9.2 Product ([email protected])
https://github.com/omniauth/omniauth/commit/43a396f181ef7d0ed2ec8291c939c95e3ed3ff00#diff-575abda9deb9b1a77bf534e898a923029b9a61e991d626db88dc6e8b34260aa2 Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://rubygems.org/gems/omniauth/versions/1.9.2 Product (af854a3a-2127-422b-91ae-364da2661108)