CVE-2018-11627Cross-site Scripting in Sinatra

CWE-79Cross-site Scripting9 documents7 sources
Severity
6.1MEDIUMNVD
EPSS
0.4%
top 39.37%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Sinatrarb SinatraSinatraRedhat Cloudforms
Timeline
PublishedMay 31
Latest updateJun 5

Description

Sinatra before 2.0.2 has XSS via the 400 Bad Request page that occurs upon a params parser exception.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages3 packages

RubyGemssinatra/sinatra2.0.02.0.2
NVDsinatrarb/sinatra< 2.0.2
NVDredhat/cloudforms4.6, 4.7+1

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

4
GHSA
Sinatra Cross-site Scripting vulnerability2018-06-05
OSV
Sinatra Cross-site Scripting vulnerability2018-06-05
CVEList
CVE-2018-11627: Sinatra before 22018-05-31
OSV
CVE-2018-11627: Sinatra before 22018-05-31

📋Vendor Advisories

2
Red Hat
rubygem-sinatra: XSS in the 400 Bad Request page2018-05-22
Debian
CVE-2018-11627: ruby-sinatra - Sinatra before 2.0.2 has XSS via the 400 Bad Request page that occurs upon a par...2018

💬Community

2
Bugzilla
CVE-2018-11627 rubygem-sinatra: XSS in the 400 Bad Request page [fedora-all]2018-06-01
Bugzilla
CVE-2018-11627 rubygem-sinatra: XSS in the 400 Bad Request page2018-06-01
CVE-2018-11627 — Cross-site Scripting in Sinatra | cvebase