{"id":"UBUNTU-CVE-2018-11627","details":"Sinatra before 2.0.2 has XSS via the 400 Bad Request page that occurs upon a params parser exception.","modified":"2025-07-16T08:22:10.731052Z","published":"2018-05-31T19:29:00Z","upstream":["CVE-2018-11627"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2018-11627"},{"type":"REPORT","url":"https://github.com/sinatra/sinatra/commit/12786867d6faaceaec62c7c2cb5b0e2dc074d71a"},{"type":"REPORT","url":"https://github.com/sinatra/sinatra/issues/1428"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2018-11627"}],"affected":[{"package":{"name":"ruby-sinatra","ecosystem":"Ubuntu:20.04:LTS","purl":"pkg:deb/ubuntu/ruby-sinatra@2.0.8.1-1?arch=source&distro=focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.0.8.1-1"}]}],"versions":["2.0.5-4ubuntu1"],"ecosystem_specific":{"binaries":[{"binary_name":"ruby-rack-protection","binary_version":"2.0.8.1-1"},{"binary_name":"ruby-sinatra","binary_version":"2.0.8.1-1"},{"binary_name":"ruby-sinatra-contrib","binary_version":"2.0.8.1-1"}],"availability":"No subscription required"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2018/UBUNTU-CVE-2018-11627.json"}},{"package":{"name":"ruby-sinatra","ecosystem":"Ubuntu:22.04:LTS","purl":"pkg:deb/ubuntu/ruby-sinatra@2.0.8.1-2?arch=source&distro=jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.0.8.1-2"}]}],"ecosystem_specific":{"binaries":[{"binary_name":"ruby-rack-protection","binary_version":"2.0.8.1-2"},{"binary_name":"ruby-sinatra","binary_version":"2.0.8.1-2"},{"binary_name":"ruby-sinatra-contrib","binary_version":"2.0.8.1-2"}],"availability":"No subscription required"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2018/UBUNTU-CVE-2018-11627.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"type":"Ubuntu","score":"medium"}]}