grape 0.0.0.alpha.1
1 security vulnerability
found in version
0.0.0.alpha.1
ruby-grape Gem has XSS via "format" parameter
medium severity CVE-2018-3769
medium severity
CVE-2018-3769
Patched versions:
>= 1.1.0
When request on API contains the "format" parameter in GET, the input value of this parameter is rendered as the web-server responds with text/html header.
Example: http://example.com/api/endpoint?format=%3Cscript%3Ealert(document.cookie)%3C/script%3E
1 memory leak
found in version
0.0.0.alpha.1
Memory leak in formatter middleware
301
Patched versions:
>= 0.10
Leaky versions:
< 0.2.5
The call for .to_sym will leak the symbol since those are never garbage collected. Malicious users can abuse.
Author did not declare license for this gem in the gemspec.
This gem version has a MIT license in the source code, however it was not declared in the gemspec file.
This gem version is available.
This gem version has not been yanked and is still available for usage.