CVE-2018-1000088: XSS on authorization consent view

March 13, 2018 (updated April 11, 2018)

Stored XSS on the OAuth Client’s name will cause users being prompted for consent via the implicit grant type to execute the XSS payload. The XSS attack could gain access to the user’s active session, resulting in account compromise. Any user is susceptible if they click the authorization link for the malicious OAuth client. Because of how the links work, a user cannot tell if a link is malicious or not without first visiting the page with the XSS payload. In addition, there is stored XSS in the native_redirect_uri form element.

References

blog.justinbull.ca/cve-2018-1000088-stored-xss-in-doorkeeper/
github.com/doorkeeper-gem/doorkeeper/issues/969
github.com/doorkeeper-gem/doorkeeper/pull/970

Detect and mitigate CVE-2018-1000088 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →