CVE-2019-8400: Hydra has Reflected XSS via error_hint parameter
(updated )
ORY Hydra before v1.0.0-rc.3+oryOS.9 has Reflected XSS via the oauth2/fallbacks/error error_hint parameter.
References
- drive.google.com/file/d/1-25expUYVfK6vsiCmEabUCuelOP7aUDj/view?usp=drivesdk
- github.com/advisories/GHSA-7v6r-w4r6-mhch
- github.com/ory/hydra
- github.com/ory/hydra/blob/master/CHANGELOG.md
- github.com/ory/hydra/commit/9b5bbd48a72096930af08402c5e07fce7dd770f3
- hackerone.com/reports/456333
- nvd.nist.gov/vuln/detail/CVE-2019-8400
- www.youtube.com/watch?v=RIyZLeKEC8E
Code Behaviors & Features
Detect and mitigate CVE-2019-8400 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →