DEBIAN-CVE-2018-16471

DEBIAN-CVE-2018-16471 PUBLISHED CVSS 6.099999904632568 MEDIUM

There is a possible XSS vulnerability in Rack before 2.0.6 and 1.6.11. Carefully crafted requests can impact the data returned by the `scheme` method on `Rack::Request`. Applications that expect the scheme to be limited to 'http' or 'https' and do not escape the return value could be vulnerable to an XSS attack. Note that applications using the normal escaping mechanisms provided by Rails may not impacted, but applications that bypass the escaping mechanisms, or do not use them may be vulnerable.

Risk Scores

CVSS v3.0

6.099999904632568

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Affected Products

Vendor	Product	Versions
Debian:13	ruby-rack	0, 0, 0
Debian:11	ruby-rack	0, 0, 0
Debian:14	ruby-rack	0, 0, 0
Debian:12	ruby-rack	0, 0, 0

Timeline

Nov 13, 2018 CVE Published
Apr 28, 2026 CVE Updated

References

https://security-tracker.debian.org/tracker/CVE-2018-16471 advisory

Open in Interactive Console →