---
gem: grape
cve: 2018-3769
date: 2018-05-23
url: https://github.com/ruby-grape/grape/issues/1762
title: ruby-grape Gem has XSS via "format" parameter
description: |
  When request on API contains the "format" parameter in GET, the input
  value of this parameter is rendered as the web-server responds with
  text/html header.

  Example:
  http://example.com/api/endpoint?format=%3Cscript%3Ealert(document.cookie)%3C/script%3E

patched_versions:
  - ">= 1.1.0"
related:
  url:
    - https://github.com/ruby-grape/grape/pull/1763
    - https://github.com/ruby-grape/grape/commit/6876b71efc7b03f7ce1be3f075eaa4e7e6de19af