F3Ndot

**Name of the Vulnerable Software and Affected Versions** Doorkeeper versions 4.2.0 and later **Description** The issue is related to an Incorrect Access Control vulnerability in the Token revocation API's authorized method. This can result in access tokens not being revoked for public OAuth apps, leading to access leaks until the tokens expire. **Recommendations** For Doorkeeper versions 4.2.0 and later, update to a version that includes a fix for the Token revocation API's authorized method to ensure access tokens are properly revoked for public OAuth apps.

Name of the Vulnerable Software and Affected Versions: Doorkeeper versions 2.1.0 through 4.2.5 Description: The issue is related to a Cross Site Scripting (XSS) vulnerability in the web view's OAuth app form and user authorization prompt web view. This can result in Stored XSS on the OAuth Client's name, causing users interacting with it to execute a payload. The attack is exploitable via tricking the victim into clicking an opaque link to the web view that runs the XSS payload, which is virtually indistinguishable from a normal link. Recommendations: For versions 2.1.0 through 4.2.5, update to version 4.2.6 or 4.3.0 to resolve the issue. As a temporary workaround, consider restricting access to the OAuth app form and user authorization prompt web view until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Tinfoil Devise-two-factor versions prior to 2.0.0 **Description** The issue arises from not strictly following section 5.2 of RFC 6238, which leads to not "burning" a successfully validated one-time password (OTP). This allows attackers with a target user's login credentials to log in as the user by obtaining the OTP through man-in-the-middle attacks or shoulder surfing and then replaying the OTP in the current time-step. **Recommendations** For versions prior to 2.0.0, update to version 2.0.0 or later to resolve the issue.