grape 0.2.4
1 security vulnerability
found in version
0.2.4
ruby-grape Gem has XSS via "format" parameter
medium severity CVE-2018-3769
medium severity
CVE-2018-3769
Patched versions:
>= 1.1.0
When request on API contains the "format" parameter in GET, the input value of this parameter is rendered as the web-server responds with text/html header.
Example: http://example.com/api/endpoint?format=%3Cscript%3Ealert(document.cookie)%3C/script%3E
1 memory leak
found in version
0.2.4
Memory leak in formatter middleware
301
Patched versions:
>= 0.10
Leaky versions:
< 0.2.5
The call for .to_sym will leak the symbol since those are never garbage collected. Malicious users can abuse.
No license issues detected.
This gem version has a license in the gemspec.
This gem version is available.
This gem version has not been yanked and is still available for usage.