QwikSec

Security Database

CVE

CWE

Training

CVE-2018-16471

Published: Nov 13, 2018

Modified: Aug 5, 2024

PUBLISHED

Description

There is a possible XSS vulnerability in Rack before 2.0.6 and 1.6.11. Carefully crafted requests can impact the data returned by the `scheme` method on `Rack::Request`. Applications that expect the scheme to be limited to 'http' or 'https' and do not escape the return value could be vulnerable to an XSS attack. Note that applications using the normal escaping mechanisms provided by Rails may not impacted, but applications that bypass the escaping mechanisms, or do not use them may be vulnerable.

Vendor	Product	Versions
Rack	Rack	affected `2.0.6, 1.6.11`

Weaknesses (CWE)

References

https://groups.google.com/forum/#%21topic/rubyonrails-security/GKsAFT924Ag

x_refsource_MISC

[debian-lts-announce] 20181121 [SECURITY] [DLA 1585-1] ruby-rack security update

mailing-list

x_refsource_MLIST

openSUSE-SU-2019:1553

vendor-advisory

x_refsource_SUSE

vendor-advisory

x_refsource_UBUNTU

openSUSE-SU-2020:0214

vendor-advisory

x_refsource_SUSE

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.