Rubysec

Providing security resources for the Ruby community.
Follow us @rubysec or email us via info at rubysec.com

Advisory Archive

Back

---
gem: grape
date: 2018-05-23
url: https://github.com/ruby-grape/grape/issues/1762
cve: 2018-3769
title: ruby-grape Gem has XSS via "format" parameter
description: |
  When request on API contains the "format" parameter in GET, the input
  value of this parameter is rendered as the web-server responds with
  text/html header.

  Example:
  http://example.com/api/endpoint?format=%3Cscript%3Ealert(document.cookie)%3C/script%3E
patched_versions:
- ">= 1.1.0"
related:
  url: '["https://github.com/ruby-grape/grape/pull/1763", "https://github.com/ruby-grape/grape/commit/6876b71efc7b03f7ce1be3f075eaa4e7e6de19af"]'