RubySec

Providing security resources for the Ruby community

CVE-2018-11627 (sinatra): XSS via the 400 Bad Request page

ADVISORIES

GEM

sinatra

SEVERITY

CVSS v3: 6.1

UNAFFECTED VERSIONS

  • < 2.0.0.beta1
  • 2.0.0-alpha

PATCHED VERSIONS

  • >= 2.0.2

DESCRIPTION

Sinatra before 2.0.2 has XSS via the 400 Bad Request page that occurs upon a params parser exception.