Search for packages
| purl | pkg:gem/sinatra@1.4.0.a |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-5dmr-8tvd-8uen
Aliases: CVE-2018-11627 GHSA-mq35-wqvf-r23c |
Cross-site Scripting Sinatra has XSS via the Bad Request page that occurs upon a params parser exception. |
Affected by 0 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-7f81-3s1y-sfec
Aliases: CVE-2022-29970 GHSA-qp49-3pvw-x4m5 |
sinatra does not validate expanded path matches Sinatra before 2.2.0 does not validate that the expanded path matches public_dir when serving static files. |
Affected by 3 other vulnerabilities. |
|
VCID-tax5-a72w-mbhy
Aliases: CVE-2025-61921 GHSA-mr3q-g2mv-mr4q |
Sinatra is vulnerable to ReDoS through ETag header value generation There is a denial of service vulnerability in the `If-Match` and `If-None-Match` header parsing component of Sinatra, if the `etag` method is used when constructing the response and you are using Ruby < 3.2. |
Affected by 0 other vulnerabilities. |
|
VCID-vy9q-nvxx-yfh5
Aliases: CVE-2024-21510 GHSA-hxx2-7vcw-mqr3 |
Sinatra vulnerable to Reliance on Untrusted Inputs in a Security Decision Versions of the package sinatra from 0.0.0 are vulnerable to Reliance on Untrusted Inputs in a Security Decision via the X-Forwarded-Host (XFH) header. When making a request to a method with redirect applied, it is possible to trigger an Open Redirect Attack by inserting an arbitrary address into this header. If used for caching purposes, such as with servers like Nginx, or as a reverse proxy, without handling the X-Forwarded-Host header, attackers can potentially exploit Cache Poisoning or Routing-based SSRF. |
Affected by 1 other vulnerability. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||