Moderate severityNVD Advisory· Published May 31, 2018· Updated Aug 5, 2024

CVE-2018-11627

Description

Sinatra before 2.0.2 has XSS via the 400 Bad Request page that occurs upon a params parser exception.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Sinatra before 2.0.2 has an XSS vulnerability in the 400 Bad Request page triggered by a params parser exception.

Vulnerability

Sinatra versions before 2.0.2 contain a cross-site scripting (XSS) vulnerability in the 400 Bad Request error page. The issue occurs when a params parser exception is raised, and the error message is displayed without proper HTML escaping. This allows an attacker to inject arbitrary HTML or JavaScript into the response page. Affected versions are all releases prior to 2.0.2 [1][2][4].

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP request that triggers a params parser exception, such as malformed JSON or other parameter parsing errors. The injected payload is reflected in the 400 Bad Request page returned by the server. No authentication or special network position is required; the attacker only needs to make the request to a Sinatra application using a vulnerable version [1][4].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser session when the victim views the crafted error page. This can lead to session hijacking, cookie theft, defacement, or other client-side attacks. The impact is limited to XSS and does not provide direct server-side code execution [2][4].

Mitigation

The fix was released in Sinatra version 2.0.2 on 2018-07-25. Users must upgrade to 2.0.2 or later. Red Hat CloudForms 4.6.8 included a backported fix via RHSA-2019:0315 and RHSA-2019:0212 [2][3]. There is no known workaround other than upgrading [4].

References

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
sinatraRubyGems	>= 2.0.0, < 2.0.2	2.0.2

Affected products

ghsa-coords2 versions
pkg:gem/sinatra pkg:rpm/opensuse/rubygem-sinatra&distro=openSUSE%20Tumbleweed
>= 2.0.0, < 2.0.2+ 1 more
- (no CPE)range: >= 2.0.0, < 2.0.2
- (no CPE)range: < 2.2.0-1.1

Patches

12786867d6fa

escape invalid query params, fixes #1428

https://github.com/sinatra/sinatraKunpei SakaiMay 30, 2018via ghsa

commit

1 file changed · +1 −1

lib/sinatra/base.rb+1 −1 modified

@@ -78,7 +78,7 @@ def unlink?
     def params
       super
     rescue Rack::Utils::ParameterTypeError, Rack::Utils::InvalidParameterError => e
-      raise BadRequest, "Invalid query parameters: #{e.message}"
+      raise BadRequest, "Invalid query parameters: #{Rack::Utils.escape_html(e.message)}"
     end
 
     private

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

access.redhat.com/errata/RHSA-2019:0212ghsavendor-advisoryx_refsource_REDHATWEB
access.redhat.com/errata/RHSA-2019:0315ghsavendor-advisoryx_refsource_REDHATWEB
github.com/advisories/GHSA-mq35-wqvf-r23cghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2018-11627ghsaADVISORY
github.com/rubysec/ruby-advisory-db/blob/master/gems/sinatra/CVE-2018-11627.ymlghsaWEB
github.com/sinatra/sinatra/commit/12786867d6faaceaec62c7c2cb5b0e2dc074d71aghsax_refsource_MISCWEB
github.com/sinatra/sinatra/issues/1428ghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000