CVE-2019-16751 (devise_token_auth)

An issue was discovered in Devise Token Auth through 1.1.2. The omniauth failure endpoint is vulnerable to Reflected Cross Site Scripting (XSS) through the message parameter. Unauthenticated attackers can craft a URL that executes a malicious JavaScript payload in the victim’s browser. This affects the fallback_render method in the omniauth callbacks controller.
Source: NIST
CVE-2019-16751 (devise_token_auth)