CVE-2019-16751

CVE-2019-16751 is a reflected Cross-Site Scripting (XSS) vulnerability in the Devise Token Auth gem through version 1.1.2. The flaw resides in the fallback_render method within the omniauth callbacks controller [1]. The endpoint at /omniauth/failure does not properly escape user-supplied input passed through the message parameter, allowing injection of arbitrary HTML and JavaScript [2][4].

An unauthenticated attacker can craft a malicious URL containing a JavaScript payload in the message parameter. When a victim visits this crafted URL, the browser executes the injected script in the context of the vulnerable application [1][4]. The attack requires no authentication and can be delivered via phishing links or other means to lure users to the crafted URL [2].

Successful exploitation grants the attacker the ability to execute arbitrary JavaScript within the victim's session. This can lead to session hijacking, credential theft, or defacement of the page shown to the victim [1][4]. The same endpoint was also reported to suffer from an open redirect vulnerability via the auth_origin_url parameter, although that aspect is not covered by this specific CVE [4].

At the time of disclosure, the issue affected all versions up to and including 1.1.2. No patched version was immediately available in the reference material, but the recommended remediation is to sanitize the message parameter using Rails' built-in HTML escaping (ActionView::Helpers::SanitizeHelper) or to use server-side templates that auto-escape user input [2][4]. Users of the gem should upgrade to a fixed version once released or apply the suggested workarounds to mitigate the risk.