Moderate severityNVD Advisory· Published Mar 13, 2018· Updated Aug 5, 2024

CVE-2018-1000088

Description

Doorkeeper version 2.1.0 through 4.2.5 contains a Cross Site Scripting (XSS) vulnerability in web view's OAuth app form, user authorization prompt web view that can result in Stored XSS on the OAuth Client's name will cause users interacting with it will execute payload. This attack appear to be exploitable via The victim must be tricked to click an opaque link to the web view that runs the XSS payload. A malicious version virtually indistinguishable from a normal link.. This vulnerability appears to have been fixed in 4.2.6, 4.3.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Stored XSS in Doorkeeper OAuth client name field affects versions 2.1.0–4.2.5, allowing attacker to execute JavaScript when victim clicks an authorization link.

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in Doorkeeper versions 2.1.0 through 4.2.5. The name field of OAuth client applications is not escaped in the default authorization prompt web view, allowing an attacker to inject arbitrary JavaScript or HTML. This impacts applications where users can create or edit OAuth clients [1][2][4].

Exploitation

To exploit, an attacker must first register or modify an OAuth client application, setting the name parameter to a malicious payload such as ``. The victim must then be tricked into clicking an opaque authorization link for the malicious client. The link is virtually indistinguishable from a legitimate one [1][4].

Impact

Successful execution results in the attacker gaining the victim's active session, leading to account compromise. The XSS runs in the context of the resource owner's browser during the implicit grant authorization flow, allowing the attacker to perform actions on behalf of the victim, potentially including granting access tokens to arbitrary clients [1][4].

Mitigation

The vulnerability is fixed in Doorkeeper versions 4.2.6 and 4.3.0, released on May 26, 2017. Administrators using default views should upgrade immediately. For those using custom views, the fix requires applying proper output escaping to the client.name value in authorization templates [1][2][4].

References

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
doorkeeperRubyGems	>= 2.1.0, < 4.2.6	4.2.6

Affected products

ghsa-coords
pkg:gem/doorkeeper
Range: >= 2.1.0, < 4.2.6

Patches

7b1a8373ecd6

Merge pull request #970 from simkim/master

https://github.com/doorkeeper-gem/doorkeeperJon MossMay 25, 2017via ghsa

commit

3 files changed · +13 −3

app/views/doorkeeper/applications/_form.html.erb+1 −1 modified

@@ -21,7 +21,7 @@
       </span>
       <% if Doorkeeper.configuration.native_redirect_uri %>
           <span class="help-block">
-            <%= raw t('doorkeeper.applications.help.native_redirect_uri', native_redirect_uri: "<code>#{ Doorkeeper.configuration.native_redirect_uri }</code>") %>
+            <%= raw t('doorkeeper.applications.help.native_redirect_uri', native_redirect_uri: content_tag(:code) { Doorkeeper.configuration.native_redirect_uri }) %>
           </span>
       <% end %>
     </div>

app/views/doorkeeper/authorizations/new.html.erb+1 −1 modified

@@ -4,7 +4,7 @@
 
 <main role="main">
   <p class="h4">
-    <%= raw t('.prompt', client_name: "<strong class=\"text-info\">#{ @pre_auth.client.name }</strong>") %>
+    <%= raw t('.prompt', client_name: content_tag(:strong, class: 'text-info') { @pre_auth.client.name }) %>
   </p>
 
   <% if @pre_auth.scopes.count > 0 %>

spec/requests/flows/authorization_code_errors_spec.rb+11 −1 modified

@@ -1,9 +1,10 @@
 require 'spec_helper_integration'
 
 feature 'Authorization Code Flow Errors' do
+  let(:client_params) { {} }
   background do
     config_is_set(:authenticate_resource_owner) { User.first || redirect_to('/sign_in') }
-    client_exists
+    client_exists client_params
     create_resource_owner
     sign_in
   end
@@ -12,6 +13,15 @@
     access_grant_should_not_exist
   end
 
+  context "with a client trying to xss resource owner" do
+    let(:client_name) { "<div id='xss'>XSS</div>" }
+    let(:client_params) { { name: client_name } }
+    scenario "resource owner visit authorization endpoint" do
+      visit authorization_endpoint_url(client: @client)
+      expect(page).not_to have_css("#xss")
+    end
+  end
+
   context 'when access was denied' do
     scenario 'redirects with error' do
       visit authorization_endpoint_url(client: @client)

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-hwhh-2fwm-cfgwghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2018-1000088ghsaADVISORY
blog.justinbull.ca/cve-2018-1000088-stored-xss-in-doorkeeperghsaWEB
github.com/doorkeeper-gem/doorkeeper/commit/7b1a8373ecd69768c896000c7971dbf48948c1b5ghsaWEB
github.com/doorkeeper-gem/doorkeeper/issues/969ghsax_refsource_MISCWEB
github.com/doorkeeper-gem/doorkeeper/pull/970ghsax_refsource_MISCWEB
github.com/doorkeeper-gem/doorkeeper/releases/tag/v4.3.0ghsax_refsource_MISCWEB
github.com/rubysec/ruby-advisory-db/blob/master/gems/doorkeeper/CVE-2018-1000088.ymlghsaWEB
github.com/rubysec/ruby-advisory-db/pull/328/filesghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000