CVE-2014-2538

rack-ssl <1.4.0 - XSS

Title source: llm

Description

Cross-site scripting (XSS) vulnerability in lib/rack/ssl.rb in the rack-ssl gem before 1.4.0 for Ruby allows remote attackers to inject arbitrary web script or HTML via a URI, which might not be properly handled by third-party adapters such as JRuby-Rack.

References (5)

[Mailing List] http://lists.opensuse.org/opensuse-updates/2014-04/msg00032.html

[Vendor Advisory] http://secunia.com/advisories/57466

[Patch] https://github.com/josh/rack-ssl/commit/9d7d7300b907e496db68d89d07fbc2e0df0b487b

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/66314

[Mailing List] http://www.openwall.com/lists/oss-security/2014/03/19/20

Scores

EPSS 0.0027

EPSS Percentile 50.5%

Details

CWE

CWE-79

Status published

Products (10)

joshua_peek/rack-ssl < 1.3.4

joshua_peek/rack-ssl

joshua_peek/rack-ssl

joshua_peek/rack-ssl

joshua_peek/rack-ssl

joshua_peek/rack-ssl

joshua_peek/rack-ssl

joshua_peek/rack-ssl

rubygems/rack-ssl < 1.4.0RubyGems

n/a/n/a

Published Mar 25, 2014

Tracked Since Feb 18, 2026