grape 0.2.1
1 security vulnerability
found in version
0.2.1
ruby-grape Gem has XSS via "format" parameter
medium severity CVE-2018-3769
medium severity
CVE-2018-3769
Patched versions:
>= 1.1.0
When request on API contains the "format" parameter in GET, the input value of this parameter is rendered as the web-server responds with text/html header.
Example: http://example.com/api/endpoint?format=%3Cscript%3Ealert(document.cookie)%3C/script%3E
1 memory leak
found in version
0.2.1
Memory leak in formatter middleware
301
Patched versions:
>= 0.10
Leaky versions:
< 0.2.5
The call for .to_sym will leak the symbol since those are never garbage collected. Malicious users can abuse.
Gem version without a license.
Unless a license that specifies otherwise is included, nobody can use, copy, distribute, or modify this library without being at risk of take-downs, shake-downs, or litigation.
This gem version is available.
This gem version has not been yanked and is still available for usage.