CVE-2018-3769 (grape): ruby-grape Gem has XSS via "format" parameter

ADVISORIES

CVE-2018-3769 (NVD)
GHSA-f599-5m7p-hcpf
Vendor Advisory

GEM

grape

SEVERITY

CVSS v3.x: 6.1 (Medium)

PATCHED VERSIONS

>= 1.1.0

DESCRIPTION

When request on API contains the "format" parameter in GET, the input value of this parameter is rendered as the web-server responds with text/html header.

Example: http://example.com/api/endpoint?format=%3Cscript%3Ealert(document.cookie)%3C/script%3E

https://github.com/ruby-grape/grape/pull/1763
https://github.com/ruby-grape/grape/commit/6876b71efc7b03f7ce1be3f075eaa4e7e6de19af

RubySec

CVE-2018-3769 (grape): ruby-grape Gem has XSS via "format" parameter

ADVISORIES

GEM

SEVERITY

PATCHED VERSIONS

DESCRIPTION

RELATED

Recent Advisories