CVE-2018-16471 — Cross-site Scripting in Project Rack
Severity
6.1MEDIUMNVD
EPSS
0.3%
top 46.71%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedNov 13
Latest updateAug 7
Description
There is a possible XSS vulnerability in Rack before 2.0.6 and 1.6.11. Carefully crafted requests can impact the data returned by the `scheme` method on `Rack::Request`. Applications that expect the scheme to be limited to 'http' or 'https' and do not escape the return value could be vulnerable to an XSS attack. Note that applications using the normal escaping mechanisms provided by Rails may not impacted, but applications that bypass the escaping mechanisms, or do not use them may be vulnerable…
CVSS vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7
Affected Packages3 packages
Also affects: Debian Linux 8.0
🔴Vulnerability Details
4📋Vendor Advisories
3💬Community
3Bugzilla▶
CVE-2018-16471 rubygem-rack: Cross-site scripting (XSS) via `scheme` method on `Rack::Request` [epel-all]↗2018-11-06
Bugzilla▶
CVE-2018-16471 rubygem-rack: Cross-site scripting (XSS) via `scheme` method on `Rack::Request`↗2018-11-06
Bugzilla▶
CVE-2018-16471 rubygem-rack: Cross-site scripting (XSS) via `scheme` method on `Rack::Request` [fedora-all]↗2018-11-06