Cross-site Scripting (XSS)

Affecting sinatra gem, versions <1.4.6, >=1.4.0.a

medium severity

Overview

sinatra is a DSL for quickly creating web applications in Ruby with minimal effort.

Affected versions of the package are vulnerable to reflected Cross-site Scripting (XSS). This occurs on the development 404 page, which does not validate the request path. This may allow attackers to create a specially crafted request that would execute arbitrary script code.

You can read more about Cross-site Scripting (XSS) on our blog.

Remediation

Upgrade sinatra to version 1.4.6 or higher.

References

Do your applications use this vulnerable package?

Credit
Andy Brody
CWE
CWE-79
Snyk ID
SNYK-RUBY-SINATRA-20469
Disclosed
11 Jun, 2014
Published
10 Jan, 2018