ruby-grape Gem has XSS via "format" parameter
Published: May 23, 2018
SECURITY IDENTIFIERS
- CVE: CVE-2018-3769 (NVD)
- GHSA: GHSA-f599-5m7p-hcpf
- Vendor Advisory: https://github.com/ruby-grape/grape/issues/1762
GEM
SEVERITY
CVSS v3.x: 6.1 (Medium)
PATCHED VERSIONS
>= 1.1.0
DESCRIPTION
When request on API contains the "format" parameter in GET, the input value of this parameter is rendered as the web-server responds with text/html header.
Example: http://example.com/api/endpoint?format=%3Cscript%3Ealert(document.cookie)%3C/script%3E