DEBIAN-CVE-2018-16471
Advisory lineage Upstream: 1 Downstream: 1
Upstream
Downstream
Published: 13 Nov 2018, 23:29
Last modified:28 Apr 2026, 20:18
Vulnerability Summary
Overall Risk (default)
low
24/100 CVSS Score
6.1 MEDIUM
3.0 (osv_debian)
EPSS Score
No data
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
13 Nov 2018, 23:29
Published
Vulnerability first disclosed
28 Apr 2026, 20:18
Last Modified
Vulnerability information updated
Description
There is a possible XSS vulnerability in Rack before 2.0.6 and 1.6.11. Carefully crafted requests can impact the data returned by the `scheme` method on `Rack::Request`. Applications that expect the scheme to be limited to 'http' or 'https' and do not escape the return value could be vulnerable to an XSS attack. Note that applications using the normal escaping mechanisms provided by Rails may not impacted, but applications that bypass the escaping mechanisms, or do not use them may be vulnerable.
CVSS Metrics
- v3.0•MEDIUM•Score: 6.1CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Affected Systems
- debian•ruby-rack
< 1.6.4-6 | < 1.6.4-6 | < 1.6.4-6 | < 1.6.4-6