CVE-2020-36599: Critical severity omniauth omniauth vulnerability
Published Aug 18, 2022
·Updated
lib/omniauth/failureendpoint.rb in OmniAuth before 1.9.2 (and before 2.0) does not escape the messagekey value.
Affected Software
3 affected components
OmniAuth omniauth<2.0.0
OmniAuth omniauth<1.9.2
OmniAuth omniauth=2.0.0-pre.rc1
Remediation
Event History
Aug 18, 2022
CVE Published
via MITRE·10:48 PM
Data Sourced
via MITRE·10:48 PM
Description
Frequently Asked Questions
1
What is the severity of CVE-2020-36599?
CVE-2020-36599 has a medium severity rating due to its potential for cross-site scripting (XSS) attacks.
2
How do I fix CVE-2020-36599?
To fix CVE-2020-36599, update OmniAuth to version 1.9.2 or later, or 2.0.0 or later.
3
What is affected by CVE-2020-36599?
CVE-2020-36599 affects all versions of OmniAuth prior to 1.9.2 and before 2.0.0.
4
What type of vulnerability is CVE-2020-36599?
CVE-2020-36599 is a cross-site scripting (XSS) vulnerability due to improper escaping of the message_key value.
5
What are the potential impacts of CVE-2020-36599?
The potential impacts of CVE-2020-36599 include allowing an attacker to execute malicious scripts in the context of a user's browser.