Alboxie

**Name of the Vulnerable Software and Affected Versions** Devise Token Auth versions through 1.1.2 **Description** An issue was discovered in the omniauth failure endpoint, which is vulnerable to Reflected Cross Site Scripting (XSS) through the `message` parameter. Unauthenticated attackers can craft a URL that executes a malicious JavaScript payload in the victim's browser. This affects the `fallback render` method in the omniauth callbacks controller. **Recommendations** For Devise Token Auth versions through 1.1.2, consider disabling the `fallback render` method in the omniauth callbacks controller as a temporary workaround until a patch is available. Restrict access to the omniauth failure endpoint to minimize the risk of exploitation. Avoid using the `message` parameter in the affected endpoint until the issue is resolved.