RubySec

Providing security resources for the Ruby community

CVE-2018-3769 (grape): ruby-grape Gem has XSS via "format" parameter

ADVISORIES

GEM

grape

PATCHED VERSIONS

  • >= 1.1.0

DESCRIPTION

When request on API contains the “format” parameter in GET, the input value of this parameter is rendered as the web-server responds with text/html header.

Example: http://example.com/api/endpoint?format=%3Cscript%3Ealert(document.cookie)%3C/script%3E