oss-sec mailing list archives

CVE Request: rack-ssl rubygem: XSS in error page

From: Marcus Meissner <meissner () suse de>
Date: Wed, 19 Mar 2014 14:05:19 +0100

Hi,

The latest version of rack-ssl rubygem (1.4.0) contains a commit that fixes a
XSS vulnerability in the error page.

https://github.com/josh/rack-ssl/commit/9d7d7300b907e496db68d89d07fbc2e0df0b487b

"Some adapters (i.e. jruby-rack) will pass through bad URIs, then display
the resulting exception. This creates an attack vector for XSS attacks.
"

Needs a CVE I think.

Ciao, Marcus

Current thread:

CVE Request: rack-ssl rubygem: XSS in error page Marcus Meissner (Mar 19)
- Re: CVE Request: rack-ssl rubygem: XSS in error page cve-assign (Mar 19)