Impact
Command hydra token user starts an HTML web server that acts as an OAuth 2.0 Consumer. The exposed server is used by developers to confirm that OAuth 2.0 Authorize Code Flows are working and to run tutorials from the docs.
In case of an error, the HTML error page takes query parameters such as ?error=... and prints them in the HTML form. This output is not escaped, making XSS possible.
The impact of this issue is negligible, because the HTML page is:
- is only used during development or when first trying out ORY Hydra.
- is never exposed to the public internet.
Patches
The issue has been fixed with version v1.0.0-rc.15
Workarounds
No workarounds exist.
Impact
Command
hydra token userstarts an HTML web server that acts as an OAuth 2.0 Consumer. The exposed server is used by developers to confirm that OAuth 2.0 Authorize Code Flows are working and to run tutorials from the docs.In case of an error, the HTML error page takes query parameters such as
?error=...and prints them in the HTML form. This output is not escaped, making XSS possible.The impact of this issue is negligible, because the HTML page is:
Patches
The issue has been fixed with version v1.0.0-rc.15
Workarounds
No workarounds exist.