CVE-2018-11627: XSS
First published: Thu May 31 2018(Updated: )
It was found that Sinatra is vulnerable to an XSS via the 400 Bad Request page that occurs upon a params parser exception. Upstream issue: <a href="https://github.com/sinatra/sinatra/issues/1428">https://github.com/sinatra/sinatra/issues/1428</a> Introduced by: <a href="https://github.com/sinatra/sinatra/commit/8f8df53ff29938ace79b31097c27d9cdac803b44">https://github.com/sinatra/sinatra/commit/8f8df53ff29938ace79b31097c27d9cdac803b44</a> Upstream patch: <a href="https://github.com/sinatra/sinatra/commit/12786867d6faaceaec62c7c2cb5b0e2dc074d71a">https://github.com/sinatra/sinatra/commit/12786867d6faaceaec62c7c2cb5b0e2dc074d71a</a>
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| rubygems/sinatra | >=2.0.0<2.0.2 | 2.0.2 |
| Sinatrarb Sinatra | <2.0.2 | |
| Redhat Cloudforms | =4.6 | |
| Redhat Cloudforms | =4.7 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2018-11627
- https://github.com/sinatra/sinatra/issues/1428
- https://github.com/sinatra/sinatra/commit/12786867d6faaceaec62c7c2cb5b0e2dc074d71a
- https://access.redhat.com/errata/RHSA-2019:0212
- https://access.redhat.com/errata/RHSA-2019:0315
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/sinatra/CVE-2018-11627.yml
- https://github.com/advisories/GHSA-mq35-wqvf-r23c (Advisory)
- https://github.com/sinatra/sinatra/commit/8f8df53ff29938ace79b31097c27d9cdac803b44
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1585221
- https://bugzilla.redhat.com/show_bug.cgi?id=1585218
Frequently Asked Questions
What is the severity of CVE-2018-11627?
The severity of CVE-2018-11627 is medium.
How can an attacker exploit CVE-2018-11627?
An attacker can exploit CVE-2018-11627 by injecting malicious code through a specially crafted request, leading to cross-site scripting (XSS) attacks.
What is the affected software of CVE-2018-11627?
The affected software of CVE-2018-11627 includes Sinatra versions before 2.0.2, Redhat Cloudforms versions 4.6 and 4.7.
What is the remedy for CVE-2018-11627?
To remediate CVE-2018-11627, upgrade to Sinatra version 2.0.2 or later.
Where can I find more information about CVE-2018-11627?
You can find more information about CVE-2018-11627 at the following references: [NVD](https://nvd.nist.gov/vuln/detail/CVE-2018-11627), [GitHub Issue](https://github.com/sinatra/sinatra/issues/1428), [GitHub Commit](https://github.com/sinatra/sinatra/commit/12786867d6faaceaec62c7c2cb5b0e2dc074d71a).
- collector/nvd-index
- collector/nvd-cve
- collector/github-advisory-latest
- alias/GHSA-mq35-wqvf-r23c
- alias/CVE-2018-11627
- collector/github-advisory
- agent/author
- agent/type
- agent/softwarecombine
- agent/remedy
- agent/severity
- agent/references
- agent/weakness
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/description
- agent/tags
- agent/first-publish-date
- agent/event
- agent/trending
- vendor/sinatrarb
- canonical/sinatrarb sinatra
- vendor/redhat
- canonical/redhat cloudforms
- version/redhat cloudforms/4.6
- version/redhat cloudforms/4.7
- package-manager/rubygems
- package-manager/redhat