RubySec

Providing security resources for the Ruby community

CVE-2018-11627 (sinatra): XSS via the 400 Bad Request page

XSS via the 400 Bad Request page

Published: May 31, 2018

SECURITY IDENTIFIERS

GEM

sinatra

SEVERITY

CVSS v3.x: 6.1 (Medium)

UNAFFECTED VERSIONS

< 2.0.0.beta1 = 2.0.0-alpha

PATCHED VERSIONS

>= 2.0.2

DESCRIPTION

Sinatra before 2.0.2 has XSS via the 400 Bad Request page that occurs upon a params parser exception.

Contact us @rubysec or open an issue on our GitHub repository.

Recent Advisories