CVE-2019-8400
NONE EPSS 67.3%
Published Feb 17, 20197y ago ยท Modified Jun 17, 20262w ago
Published Feb 17, 2019 7y ago
Last Modified Jun 17, 2026 2w ago
Description
ORY Hydra before v1.0.0-rc.3+oryOS.9 has Reflected XSS via the oauth2/fallbacks/error error_hint parameter.
Threat Intelligence
EPSS Exploit Probability
67.3% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available
Weaknesses 1
CWE-79 Cross-site Scripting Injection
Affected Products 129
| Vendor | Product | Version | Range |
|---|---|---|---|
| ory | hydra | 0.1 | any |
| ory | hydra | 0.1 | any |
| ory | hydra | 0.1 | any |
| ory | hydra | 0.1 | any |
| ory | hydra | 0.2.0 | any |
| ory | hydra | 0.3.0 | any |
| ory | hydra | 0.3.1 | any |
| ory | hydra | 0.4.0 | any |
| ory | hydra | 0.4.1 | any |
| ory | hydra | 0.4.2 | any |
| ory | hydra | 0.4.2 | any |
| ory | hydra | 0.4.2 | any |
| ory | hydra | 0.4.2 | any |
| ory | hydra | 0.4.2 | any |
| ory | hydra | 0.4.2 | any |
| ory | hydra | 0.4.3 | any |
| ory | hydra | 0.5.0 | any |
| ory | hydra | 0.5.1 | any |
| ory | hydra | 0.5.2 | any |
| ory | hydra | 0.5.3 | any |
| ory | hydra | 0.5.4 | any |
| ory | hydra | 0.5.5 | any |
| ory | hydra | 0.5.6 | any |
| ory | hydra | 0.5.7 | any |
| ory | hydra | 0.5.8 | any |
| ory | hydra | 0.6.0 | any |
| ory | hydra | 0.6.1 | any |
| ory | hydra | 0.6.2 | any |
| ory | hydra | 0.6.3 | any |
| ory | hydra | 0.6.4 | any |
| ory | hydra | 0.6.5 | any |
| ory | hydra | 0.6.6 | any |
| ory | hydra | 0.6.7 | any |
| ory | hydra | 0.6.8 | any |
| ory | hydra | 0.6.9 | any |
| ory | hydra | 0.6.10 | any |
| ory | hydra | 0.7.0 | any |
| ory | hydra | 0.7.1 | any |
| ory | hydra | 0.7.2 | any |
| ory | hydra | 0.7.3 | any |
| ory | hydra | 0.7.4 | any |
| ory | hydra | 0.7.5 | any |
| ory | hydra | 0.7.6 | any |
| ory | hydra | 0.7.7 | any |
| ory | hydra | 0.7.8 | any |
| ory | hydra | 0.7.9 | any |
| ory | hydra | 0.7.10 | any |
| ory | hydra | 0.7.11 | any |
| ory | hydra | 0.7.12 | any |
| ory | hydra | 0.7.13 | any |
| ory | hydra | 0.8.0 | any |
| ory | hydra | 0.8.1 | any |
| ory | hydra | 0.8.2 | any |
| ory | hydra | 0.8.3 | any |
| ory | hydra | 0.8.4 | any |
| ory | hydra | 0.8.5 | any |
| ory | hydra | 0.8.6 | any |
| ory | hydra | 0.8.7 | any |
| ory | hydra | 0.9.0 | any |
| ory | hydra | 0.9.1 | any |
| ory | hydra | 0.9.2 | any |
| ory | hydra | 0.9.3 | any |
| ory | hydra | 0.9.4 | any |
| ory | hydra | 0.9.5 | any |
| ory | hydra | 0.9.6 | any |
| ory | hydra | 0.9.7 | any |
| ory | hydra | 0.9.8 | any |
| ory | hydra | 0.9.9 | any |
| ory | hydra | 0.9.10 | any |
| ory | hydra | 0.9.11 | any |
| ory | hydra | 0.9.12 | any |
| ory | hydra | 0.9.13 | any |
| ory | hydra | 0.9.14 | any |
| ory | hydra | 0.9.15 | any |
| ory | hydra | 0.9.16 | any |
| ory | hydra | 0.10.0 | any |
| ory | hydra | 0.10.0 | any |
| ory | hydra | 0.10.0 | any |
| ory | hydra | 0.10.0 | any |
| ory | hydra | 0.10.0 | any |
| ory | hydra | 0.10.0 | any |
| ory | hydra | 0.10.0 | any |
| ory | hydra | 0.10.0 | any |
| ory | hydra | 0.10.0 | any |
| ory | hydra | 0.10.0 | any |
| ory | hydra | 0.10.0 | any |
| ory | hydra | 0.10.0 | any |
| ory | hydra | 0.10.0 | any |
| ory | hydra | 0.10.0 | any |
| ory | hydra | 0.10.0 | any |
| ory | hydra | 0.10.0 | any |
| ory | hydra | 0.10.0 | any |
| ory | hydra | 0.10.0 | any |
| ory | hydra | 0.10.0 | any |
| ory | hydra | 0.10.0 | any |
| ory | hydra | 0.10.0 | any |
| ory | hydra | 0.10.0 | any |
| ory | hydra | 0.10.1 | any |
| ory | hydra | 0.10.2 | any |
| ory | hydra | 0.10.3 | any |
| ory | hydra | 0.10.4 | any |
| ory | hydra | 0.10.5 | any |
| ory | hydra | 0.10.6 | any |
| ory | hydra | 0.10.7 | any |
| ory | hydra | 0.10.8 | any |
| ory | hydra | 0.10.9 | any |
| ory | hydra | 0.10.10 | any |
| ory | hydra | 0.11.0 | any |
| ory | hydra | 0.11.1 | any |
| ory | hydra | 0.11.2 | any |
| ory | hydra | 0.11.3 | any |
| ory | hydra | 0.11.4 | any |
| ory | hydra | 0.11.6 | any |
| ory | hydra | 0.11.7 | any |
| ory | hydra | 0.11.9 | any |
| ory | hydra | 0.11.10 | any |
| ory | hydra | 0.11.12 | any |
| ory | hydra | 0.11.14 | any |
| ory | hydra | 1.0.0 | any |
| ory | hydra | 1.0.0 | any |
| ory | hydra | 1.0.0 | any |
| ory | hydra | 1.0.0 | any |
| ory | hydra | 1.0.0 | any |
| ory | hydra | 1.0.0 | any |
| ory | hydra | 1.0.0 | any |
| ory | hydra | 1.0.0 | any |
| ory | hydra | 1.0.0 | any |
| ory | hydra | 1.0.0 | any |
| ory | hydra | 1.0.0 | any |
References 5
- drive.google.com https://drive.google.com/file/d/1-25expUYVfK6vsiCmEabUCuelOP7aUDj/view?usp=drivesdk
- github.com https://github.com/ory/hydra/blob/master/CHANGELOG.md#v100-rc3oryos9-2018-12-06
- github.com https://github.com/ory/hydra/commit/9b5bbd48a72096930af08402c5e07fce7dd770f3
- hackerone.com https://hackerone.com/reports/456333
- youtube.com https://www.youtube.com/watch?v=RIyZLeKEC8E
Remediation
- github.com https://github.com/ory/hydra/commit/9b5bbd48a72096930af08402c5e07fce7dd770f3