RubySec

Providing security resources for the Ruby community

CVE-2014-2538 (rack-ssl): rack-ssl Gem for Ruby Error Message Reflected XSS

ADVISORIES

GEM

rack-ssl

SEVERITY

CVSS v2: 4.3

PATCHED VERSIONS

  • >= 1.3.4

DESCRIPTION

rack-ssl Gem for Ruby contains a flaw that allows a reflected cross-site scripting (XSS) attack. This flaw exists because the program does not validate input passed via error messages before returning it to users. This may allow a context-dependent attacker to create a specially crafted request that would execute arbitrary script code in a user’s browser session within the trust relationship between their browser and the server.