CVE-2018-1000088

N/A

Doorkeeper version 2.1.0 through 4.2.5 contains a Cross Site Scripting (XSS) vulnerability in web view's OAuth app form, user authorization prompt web view that can result in Stored XSS on the OAuth Client's name will cause users interacting with it will execute payload. This attack appear to be exploitable via The victim must be tricked to click an opaque link to the web view that runs the XSS payload. A malicious version virtually indistinguishable from a normal link.. This vulnerability appears to have been fixed in 4.2.6, 4.3.0.

N/A

N/A

Doorkeeper 跨站脚本漏洞

Ruby on Rails（Rails）是Rails核心团队开发维护的一套基于Ruby语言的开源Web应用框架。Doorkeeper是其中的一个OAuth 2（开放授权协议）提供者。 Doorkeeper 2.1.0版本至4.2.5版本中存在跨站脚本漏洞，该漏洞源于程序没有正确的校验用户提交的输入。远程攻击者可利用该漏洞向Web页面中注入恶意脚本。

N/A

N/A