Reflected Cross Site Scripting
The omniauth failure endpoint is vulnerable to XSS through the message parameter. Unauthenticated attackers can craft a URL that executes a malicious JavaScript payload in the victim's browser. This affects the fallback_render method in the omniauth callbacks controller.