CVE-2019-8400
on github
Published
Severity
CVSS v3:
6.1 MEDIUM
CVSS v2:
4.3 MEDIUM
Description
ORY Hydra before v1.0.0-rc.3+oryOS.9 has Reflected XSS via the oauth2/fallbacks/error error_hint parameter.
References
- https://www.youtube.com/watch?v=RIyZLeKEC8E
- https://hackerone.com/reports/456333
- https://github.com/ory/hydra/commit/9b5bbd48a72096930af08402c5e07fce7dd770f3
- https://github.com/ory/hydra/blob/master/CHANGELOG.md#v100-rc3oryos9-2018-12-06
- https://drive.google.com/file/d/1-25expUYVfK6vsiCmEabUCuelOP7aUDj/view?usp=drivesdk
Configurations
| CPE23 | Version Start | Version End | Exact Version |
|---|---|---|---|
| cpe:2.3:a:ory:hydra:0.10.4:*:*:*:*:*:*:* | n/a | n/a | 0.10.4 |
| cpe:2.3:a:ory:hydra:0.10.5:*:*:*:*:*:*:* | n/a | n/a | 0.10.5 |
| cpe:2.3:a:ory:hydra:0.10.6:*:*:*:*:*:*:* | n/a | n/a | 0.10.6 |
| cpe:2.3:a:ory:hydra:0.10.7:*:*:*:*:*:*:* | n/a | n/a | 0.10.7 |
| cpe:2.3:a:ory:hydra:0.10.8:*:*:*:*:*:*:* | n/a | n/a | 0.10.8 |
| cpe:2.3:a:ory:hydra:0.10.9:*:*:*:*:*:*:* | n/a | n/a | 0.10.9 |
| cpe:2.3:a:ory:hydra:0.10.10:*:*:*:*:*:*:* | n/a | n/a | 0.10.10 |
| cpe:2.3:a:ory:hydra:0.11.0:*:*:*:*:*:*:* | n/a | n/a | 0.11.0 |
| cpe:2.3:a:ory:hydra:0.11.1:*:*:*:*:*:*:* | n/a | n/a | 0.11.1 |
| cpe:2.3:a:ory:hydra:0.11.7:*:*:*:*:*:*:* | n/a | n/a | 0.11.7 |
| cpe:2.3:a:ory:hydra:0.11.9:*:*:*:*:*:*:* | n/a | n/a | 0.11.9 |
| cpe:2.3:a:ory:hydra:0.11.10:*:*:*:*:*:*:* | n/a | n/a | 0.11.10 |
| cpe:2.3:a:ory:hydra:0.11.12:*:*:*:*:*:*:* | n/a | n/a | 0.11.12 |
| cpe:2.3:a:ory:hydra:0.11.3:*:*:*:*:*:*:* | n/a | n/a | 0.11.3 |
| cpe:2.3:a:ory:hydra:0.11.6:*:*:*:*:*:*:* | n/a | n/a | 0.11.6 |
| cpe:2.3:a:ory:hydra:0.11.14:*:*:*:*:*:*:* | n/a | n/a | 0.11.14 |
| cpe:2.3:a:ory:hydra:1.0.0:beta2:*:*:*:*:*:* | n/a | n/a | 1.0.0 |
| cpe:2.3:a:ory:hydra:1.0.0:beta9:*:*:*:*:*:* | n/a | n/a | 1.0.0 |
| cpe:2.3:a:ory:hydra:1.0.0:beta4:*:*:*:*:*:* | n/a | n/a | 1.0.0 |
| cpe:2.3:a:ory:hydra:1.0.0:beta5:*:*:*:*:*:* | n/a | n/a | 1.0.0 |
| cpe:2.3:a:ory:hydra:1.0.0:beta6:*:*:*:*:*:* | n/a | n/a | 1.0.0 |
| cpe:2.3:a:ory:hydra:1.0.0:beta7:*:*:*:*:*:* | n/a | n/a | 1.0.0 |
| cpe:2.3:a:ory:hydra:0.11.2:*:*:*:*:*:*:* | n/a | n/a | 0.11.2 |
| cpe:2.3:a:ory:hydra:0.11.4:*:*:*:*:*:*:* | n/a | n/a | 0.11.4 |
| cpe:2.3:a:ory:hydra:1.0.0:beta1:*:*:*:*:*:* | n/a | n/a | 1.0.0 |
| cpe:2.3:a:ory:hydra:1.0.0:beta3:*:*:*:*:*:* | n/a | n/a | 1.0.0 |
| cpe:2.3:a:ory:hydra:1.0.0:beta8:*:*:*:*:*:* | n/a | n/a | 1.0.0 |
| cpe:2.3:a:ory:hydra:0.1:beta1:*:*:*:*:*:* | n/a | n/a | 0.1 |
| cpe:2.3:a:ory:hydra:0.1:beta2:*:*:*:*:*:* | n/a | n/a | 0.1 |
| cpe:2.3:a:ory:hydra:0.1:beta3:*:*:*:*:*:* | n/a | n/a | 0.1 |
| cpe:2.3:a:ory:hydra:0.1:beta4:*:*:*:*:*:* | n/a | n/a | 0.1 |
| cpe:2.3:a:ory:hydra:0.2.0:*:*:*:*:*:*:* | n/a | n/a | 0.2.0 |
| cpe:2.3:a:ory:hydra:0.5.1:*:*:*:*:*:*:* | n/a | n/a | 0.5.1 |
| cpe:2.3:a:ory:hydra:0.5.2:*:*:*:*:*:*:* | n/a | n/a | 0.5.2 |
| cpe:2.3:a:ory:hydra:0.5.3:*:*:*:*:*:*:* | n/a | n/a | 0.5.3 |
| cpe:2.3:a:ory:hydra:0.5.4:*:*:*:*:*:*:* | n/a | n/a | 0.5.4 |
| cpe:2.3:a:ory:hydra:1.0.0:rc2:*:*:*:*:*:* | n/a | n/a | 1.0.0 |
| cpe:2.3:a:ory:hydra:0.3.1:*:*:*:*:*:*:* | n/a | n/a | 0.7.5 |
| cpe:2.3:a:ory:hydra:0.4.1:*:*:*:*:*:*:* | n/a | n/a | 0.4.1 |
| cpe:2.3:a:ory:hydra:0.4.2:alpha3:*:*:*:*:*:* | n/a | n/a | 0.4.2 |
| cpe:2.3:a:ory:hydra:0.4.3:*:*:*:*:*:*:* | n/a | n/a | 0.4.3 |
| cpe:2.3:a:ory:hydra:0.5.6:*:*:*:*:*:*:* | n/a | n/a | 0.5.6 |
| cpe:2.3:a:ory:hydra:0.5.8:*:*:*:*:*:*:* | n/a | n/a | 0.5.8 |
| cpe:2.3:a:ory:hydra:0.6.6:*:*:*:*:*:*:* | n/a | n/a | 0.6.6 |
| cpe:2.3:a:ory:hydra:0.6.8:*:*:*:*:*:*:* | n/a | n/a | 0.6.8 |
| cpe:2.3:a:ory:hydra:0.4.2:*:*:*:*:*:*:* | n/a | n/a | 0.4.2 |
| cpe:2.3:a:ory:hydra:0.4.2:alpha:*:*:*:*:*:* | n/a | n/a | 0.4.2 |
| cpe:2.3:a:ory:hydra:0.4.2:alpha1:*:*:*:*:*:* | n/a | n/a | 0.4.2 |
| cpe:2.3:a:ory:hydra:0.4.2:alpha2:*:*:*:*:*:* | n/a | n/a | 0.4.2 |
| cpe:2.3:a:ory:hydra:0.6.1:*:*:*:*:*:*:* | n/a | n/a | 0.6.1 |
| cpe:2.3:a:ory:hydra:0.6.2:*:*:*:*:*:*:* | n/a | n/a | 0.6.2 |
| cpe:2.3:a:ory:hydra:0.6.3:*:*:*:*:*:*:* | n/a | n/a | 0.6.3 |
| cpe:2.3:a:ory:hydra:0.6.4:*:*:*:*:*:*:* | n/a | n/a | 0.6.4 |
| cpe:2.3:a:ory:hydra:1.0.0:rc1:*:*:*:*:*:* | n/a | n/a | 1.0.0 |
| cpe:2.3:a:ory:hydra:0.3.0:*:*:*:*:*:*:* | n/a | n/a | 0.7.4 |
| cpe:2.3:a:ory:hydra:0.4.0:*:*:*:*:*:*:* | n/a | n/a | 0.4.0 |
| cpe:2.3:a:ory:hydra:0.4.2:alpha4:*:*:*:*:*:* | n/a | n/a | 0.4.2 |
| cpe:2.3:a:ory:hydra:0.5.0:*:*:*:*:*:*:* | n/a | n/a | 0.5.0 |
| cpe:2.3:a:ory:hydra:0.5.5:*:*:*:*:*:*:* | n/a | n/a | 0.5.5 |
| cpe:2.3:a:ory:hydra:0.5.7:*:*:*:*:*:*:* | n/a | n/a | 0.5.7 |
| cpe:2.3:a:ory:hydra:0.6.0:*:*:*:*:*:*:* | n/a | n/a | 0.6.0 |
| cpe:2.3:a:ory:hydra:0.6.5:*:*:*:*:*:*:* | n/a | n/a | 0.6.5 |
| cpe:2.3:a:ory:hydra:0.6.7:*:*:*:*:*:*:* | n/a | n/a | 0.6.7 |
| cpe:2.3:a:ory:hydra:0.6.9:*:*:*:*:*:*:* | n/a | n/a | 0.6.9 |
| cpe:2.3:a:ory:hydra:0.6.10:*:*:*:*:*:*:* | n/a | n/a | 0.6.10 |
| cpe:2.3:a:ory:hydra:0.7.0:*:*:*:*:*:*:* | n/a | n/a | 0.7.0 |
| cpe:2.3:a:ory:hydra:0.7.1:*:*:*:*:*:*:* | n/a | n/a | 0.7.1 |
| cpe:2.3:a:ory:hydra:0.8.1:*:*:*:*:*:*:* | n/a | n/a | 0.8.1 |
| cpe:2.3:a:ory:hydra:0.8.2:*:*:*:*:*:*:* | n/a | n/a | 0.8.2 |
| cpe:2.3:a:ory:hydra:0.8.3:*:*:*:*:*:*:* | n/a | n/a | 0.8.3 |
| cpe:2.3:a:ory:hydra:0.8.4:*:*:*:*:*:*:* | n/a | n/a | 0.8.4 |
| cpe:2.3:a:ory:hydra:0.9.9:*:*:*:*:*:*:* | n/a | n/a | 0.9.9 |
| cpe:2.3:a:ory:hydra:0.9.10:*:*:*:*:*:*:* | n/a | n/a | 0.9.10 |
| cpe:2.3:a:ory:hydra:0.9.11:*:*:*:*:*:*:* | n/a | n/a | 0.9.11 |
| cpe:2.3:a:ory:hydra:0.9.12:*:*:*:*:*:*:* | n/a | n/a | 0.9.12 |
| cpe:2.3:a:ory:hydra:0.9.13:*:*:*:*:*:*:* | n/a | n/a | 0.9.13 |
| cpe:2.3:a:ory:hydra:0.10.0:alpha17:*:*:*:*:*:* | n/a | n/a | 0.10.0 |
| cpe:2.3:a:ory:hydra:0.10.0:alpha18:*:*:*:*:*:* | n/a | n/a | 0.10.0 |
| cpe:2.3:a:ory:hydra:0.10.0:alpha19:*:*:*:*:*:* | n/a | n/a | 0.10.0 |
| cpe:2.3:a:ory:hydra:0.10.0:alpha2:*:*:*:*:*:* | n/a | n/a | 0.10.0 |
| cpe:2.3:a:ory:hydra:0.7.2:*:*:*:*:*:*:* | n/a | n/a | 0.7.2 |
| cpe:2.3:a:ory:hydra:0.7.4:*:*:*:*:*:*:* | n/a | n/a | 0.7.4 |
| cpe:2.3:a:ory:hydra:0.7.11:*:*:*:*:*:*:* | n/a | n/a | 0.7.11 |
| cpe:2.3:a:ory:hydra:0.7.13:*:*:*:*:*:*:* | n/a | n/a | 0.7.13 |
| cpe:2.3:a:ory:hydra:0.8.6:*:*:*:*:*:*:* | n/a | n/a | 0.8.6 |
| cpe:2.3:a:ory:hydra:0.9.0:*:*:*:*:*:*:* | n/a | n/a | 0.9.0 |
| cpe:2.3:a:ory:hydra:0.9.5:*:*:*:*:*:*:* | n/a | n/a | 0.9.5 |
| cpe:2.3:a:ory:hydra:0.9.7:*:*:*:*:*:*:* | n/a | n/a | 0.9.7 |
| cpe:2.3:a:ory:hydra:0.9.14:*:*:*:*:*:*:* | n/a | n/a | 0.9.14 |
| cpe:2.3:a:ory:hydra:0.9.16:*:*:*:*:*:*:* | n/a | n/a | 0.9.16 |
| cpe:2.3:a:ory:hydra:0.10.0:alpha14:*:*:*:*:*:* | n/a | n/a | 0.10.0 |
| cpe:2.3:a:ory:hydra:0.10.0:alpha16:*:*:*:*:*:* | n/a | n/a | 0.10.0 |
| cpe:2.3:a:ory:hydra:0.10.0:alpha20:*:*:*:*:*:* | n/a | n/a | 0.10.0 |
| cpe:2.3:a:ory:hydra:0.10.0:alpha3:*:*:*:*:*:* | n/a | n/a | 0.10.0 |
| cpe:2.3:a:ory:hydra:0.10.1:*:*:*:*:*:*:* | n/a | n/a | 0.10.1 |
| cpe:2.3:a:ory:hydra:0.10.3:*:*:*:*:*:*:* | n/a | n/a | 0.10.3 |
| cpe:2.3:a:ory:hydra:0.7.6:*:*:*:*:*:*:* | n/a | n/a | 0.7.6 |
| cpe:2.3:a:ory:hydra:0.7.7:*:*:*:*:*:*:* | n/a | n/a | 0.7.7 |
| cpe:2.3:a:ory:hydra:0.7.8:*:*:*:*:*:*:* | n/a | n/a | 0.7.8 |
| cpe:2.3:a:ory:hydra:0.7.9:*:*:*:*:*:*:* | n/a | n/a | 0.7.9 |
| cpe:2.3:a:ory:hydra:0.9.1:*:*:*:*:*:*:* | n/a | n/a | 0.9.1 |
| cpe:2.3:a:ory:hydra:0.9.2:*:*:*:*:*:*:* | n/a | n/a | 0.9.2 |
| cpe:2.3:a:ory:hydra:0.9.3:*:*:*:*:*:*:* | n/a | n/a | 0.9.3 |
| cpe:2.3:a:ory:hydra:0.9.4:*:*:*:*:*:*:* | n/a | n/a | 0.9.4 |
| cpe:2.3:a:ory:hydra:0.10.0:alpha1:*:*:*:*:*:* | n/a | n/a | 0.10.0 |
| cpe:2.3:a:ory:hydra:0.10.0:alpha10:*:*:*:*:*:* | n/a | n/a | 0.10.0 |
| cpe:2.3:a:ory:hydra:0.10.0:alpha11:*:*:*:*:*:* | n/a | n/a | 0.10.0 |
| cpe:2.3:a:ory:hydra:0.10.0:alpha12:*:*:*:*:*:* | n/a | n/a | 0.10.0 |
| cpe:2.3:a:ory:hydra:0.10.0:alpha5:*:*:*:*:*:* | n/a | n/a | 0.10.0 |
| cpe:2.3:a:ory:hydra:0.10.0:alpha6:*:*:*:*:*:* | n/a | n/a | 0.10.0 |
| cpe:2.3:a:ory:hydra:0.10.0:alpha7:*:*:*:*:*:* | n/a | n/a | 0.10.0 |
| cpe:2.3:a:ory:hydra:0.10.0:alpha8:*:*:*:*:*:* | n/a | n/a | 0.10.0 |
| cpe:2.3:a:ory:hydra:0.10.0:alpha9:*:*:*:*:*:* | n/a | n/a | 0.10.0 |
| cpe:2.3:a:ory:hydra:0.7.3:*:*:*:*:*:*:* | n/a | n/a | 0.7.3 |
| cpe:2.3:a:ory:hydra:0.7.5:*:*:*:*:*:*:* | n/a | n/a | 0.7.5 |
| cpe:2.3:a:ory:hydra:0.7.10:*:*:*:*:*:*:* | n/a | n/a | 0.7.10 |
| cpe:2.3:a:ory:hydra:0.7.12:*:*:*:*:*:*:* | n/a | n/a | 0.7.12 |
| cpe:2.3:a:ory:hydra:0.8.0:*:*:*:*:*:*:* | n/a | n/a | 0.8.0 |
| cpe:2.3:a:ory:hydra:0.8.5:*:*:*:*:*:*:* | n/a | n/a | 0.8.5 |
| cpe:2.3:a:ory:hydra:0.8.7:*:*:*:*:*:*:* | n/a | n/a | 0.8.7 |
| cpe:2.3:a:ory:hydra:0.9.6:*:*:*:*:*:*:* | n/a | n/a | 0.9.6 |
| cpe:2.3:a:ory:hydra:0.9.8:*:*:*:*:*:*:* | n/a | n/a | 0.9.8 |
| cpe:2.3:a:ory:hydra:0.9.15:*:*:*:*:*:*:* | n/a | n/a | 0.9.15 |
| cpe:2.3:a:ory:hydra:0.10.0:*:*:*:*:*:*:* | n/a | n/a | 0.10.0 |
| cpe:2.3:a:ory:hydra:0.10.0:alpha13:*:*:*:*:*:* | n/a | n/a | 0.10.0 |
| cpe:2.3:a:ory:hydra:0.10.0:alpha15:*:*:*:*:*:* | n/a | n/a | 0.10.0 |
| cpe:2.3:a:ory:hydra:0.10.0:alpha21:*:*:*:*:*:* | n/a | n/a | 0.10.0 |
| cpe:2.3:a:ory:hydra:0.10.0:alpha4:*:*:*:*:*:* | n/a | n/a | 0.10.0 |
| cpe:2.3:a:ory:hydra:0.10.2:*:*:*:*:*:*:* | n/a | n/a | 0.10.2 |