Sha256: c6a42a3655f79c81b14987744504c5202dd4416acc84b11891cf3aac6edc1bee

Contents?: true

Size: 623 Bytes

Versions: 3

Compression:

Stored size: 623 Bytes

Contents

---
gem: grape
cve: 2018-3769
date: 2018-05-23
url: https://github.com/ruby-grape/grape/issues/1762
title: ruby-grape Gem has XSS via "format" parameter
description: |
  When request on API contains the "format" parameter in GET, the input
  value of this parameter is rendered as the web-server responds with
  text/html header.

  Example:
  http://example.com/api/endpoint?format=%3Cscript%3Ealert(document.cookie)%3C/script%3E

patched_versions:
  - ">= 1.1.0"
related:
  url:
    - https://github.com/ruby-grape/grape/pull/1763
    - https://github.com/ruby-grape/grape/commit/6876b71efc7b03f7ce1be3f075eaa4e7e6de19af

Version data entries

3 entries across 3 versions & 2 rubygems

Version Path
bundler-audit-0.7.0.1 data/ruby-advisory-db/gems/grape/CVE-2018-3769.yml
bundler-budit-0.6.2 data/ruby-advisory-db/gems/grape/CVE-2018-3769.yml
bundler-budit-0.6.1 data/ruby-advisory-db/gems/grape/CVE-2018-3769.yml