Moderate severityNVD Advisory· Published Jun 17, 2018· Updated Aug 5, 2024

CVE-2018-11647

Description

A reflected XSS vulnerability in oauth2orize-fprm before 0.2.1 allows attackers to inject malicious HTML via crafted URLs.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A reflected XSS vulnerability in oauth2orize-fprm before 0.2.1 allows attackers to inject malicious HTML via crafted URLs.

Vulnerability

The index.js file in oauth2orize-fprm versions prior to 0.2.1 does not properly encode input values when constructing HTML forms for form_post response mode in OAuth2 flows. This allows an attacker to perform reflected cross-site scripting (XSS) by injecting arbitrary HTML via crafted URL parameters [1][2][3].

Exploitation

An attacker must craft a malicious URL containing HTML or JavaScript payloads in the query parameters (such as scope, state, id_token, etc.) that the OAuth2 authorization server reflects into a form hidden field. The victim must be tricked into opening this crafted URL, which, when processed by a vulnerable application, injects the payload into the HTML response without proper encoding [1][2][3].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser within the context of the application, leading to potential information disclosure (e.g., tokens, session data) and further unauthorized actions. The attack is reflected and requires user interaction [1][3].

Mitigation

The vulnerability is fixed in oauth2orize-fprm version 0.2.1. Users should update to ^0.2.1 in their package.json dependencies. No workarounds are available; the update does not affect existing sessions [3].

References

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
oauth2orize-fprmnpm	< 0.2.1	0.2.1

Affected products

ghsa-coords
pkg:npm/oauth2orize-fprm
Range: < 0.2.1

Patches

2bf9faee787e

Merge pull request #4 from MarcinHoppe/fix-number-encoding

https://github.com/jaredhanson/oauth2orize-fprmJared HansonMay 1, 2018via ghsa

commit

3 files changed · +10 −3

lib/index.js+6 −1 modified

@@ -27,7 +27,12 @@ exports = module.exports = function (txn, res, params) {
   var inputs = [];
   
   Object.keys(params).forEach(function (k) {
-    inputs.push(input.replace('{NAME}', k).replace('{VALUE}', entities.encode(params[k])));
+    var encoded = params[k];
+    if (typeof params[k] === 'string') {
+      encoded = entities.encode(params[k]);
+    }
+
+    inputs.push(input.replace('{NAME}', k).replace('{VALUE}', encoded));
    });
 
   res.setHeader('Content-Type', 'text/html;charset=UTF-8');

package.json+1 −1 modified

@@ -1,6 +1,6 @@
 {
   "name": "oauth2orize-fprm",
-  "version": "0.2.0",
+  "version": "0.2.1",
   "description": "Form Post response mode support for OAuth2orize.",
   "keywords": [
     "oauth2",

test/package.test.js+3 −1 modified

@@ -74,7 +74,8 @@ nrQ5IKXuNsQ1g9ccT5DMtZSwgDFwsHMDWMPFGax5Lw6ogjwJ4AQDrhzNCFc\
             scope: '"></a>openid email user_metadata',
             response_mode: '"></a>form_post',
             state: req.oauth2.req.state,
-            id_token: '"></a>eyJhbGciOiJSUzI1NiIsImtpZCI6IjEifQ.eyJzdWIiOiJqb2huIiw'
+            id_token: '"></a>eyJhbGciOiJSUzI1NiIsImtpZCI6IjEifQ.eyJzdWIiOiJqb2huIiw',
+            expires_in: 86400
           };
 
           fprm(req.oauth2, res, params);
@@ -100,6 +101,7 @@ nrQ5IKXuNsQ1g9ccT5DMtZSwgDFwsHMDWMPFGax5Lw6ogjwJ4AQDrhzNCFc\
 <input type="hidden" name="response_mode" value="&quot;&gt;&lt;/a&gt;form_post"/>\
 <input type="hidden" name="state" value="&quot;&gt;&lt;/a&gt;DcP7csa3hMlvybERqcieLHrRzKBra"/>\
 <input type="hidden" name="id_token" value="&quot;&gt;&lt;/a&gt;eyJhbGciOiJSUzI1NiIsImtpZCI6IjEifQ.eyJzdWIiOiJqb2huIiw"/>\
+<input type="hidden" name="expires_in" value="86400"/>\
 </form></body></html>');
     });
   });

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-p77r-c6m3-gj2rghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2018-11647ghsaADVISORY
github.com/jaredhanson/oauth2orize-fprm/blob/master/SECURITY-NOTICE.mdghsax_refsource_MISCWEB
github.com/jaredhanson/oauth2orize-fprm/commit/2bf9faee787eb004abbdfb6f4cc2fb06653defd5ghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000