CVE-2024-37116 – WordPress Sinatra theme <= 1.3 - Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2024-37116
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in sinatrateam Sinatra allows Stored XSS.This issue affects Sinatra: from n/a through 1.3. Vulnerabilidad de neutralización incorrecta de la entrada durante la generación de páginas web (XSS o 'Cross-site Scripting') en sinatrateam Sinatra permite XSS almacenado. Este problema afecta a Sinatra: desde n/a hasta 1.3. The Sinatra theme for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://patchstack.com/database/vulnerability/sinatra/wordpress-sinatra-theme-1-3-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-29970 – sinatra: path traversal possible outside of public_dir when serving static files
https://notcve.org/view.php?id=CVE-2022-29970
Sinatra before 2.2.0 does not validate that the expanded path matches public_dir when serving static files. Sinatra versiones anteriores a 2.2.0, no comprueba que la ruta expandida coincida con public_dir cuando sirve archivos estáticos A flaw was found in Sinatra when serving static files from the public directory. The requested path is not validated if it is in the public directory, allowing files outside of the public directory to be served. • https://github.com/sinatra/sinatra/pull/1683/commits/462c3ca1db53ed3cfc394cf5948e9c948ad1c10e https://lists.debian.org/debian-lts-announce/2022/10/msg00034.html https://access.redhat.com/security/cve/CVE-2022-29970 https://bugzilla.redhat.com/show_bug.cgi?id=2081096 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2018-11627 – rubygem-sinatra: XSS in the 400 Bad Request page
https://notcve.org/view.php?id=CVE-2018-11627
Sinatra before 2.0.2 has XSS via the 400 Bad Request page that occurs upon a params parser exception. Sinatra en versiones anteriores a la 2.0.2 tiene Cross-Site Scripting (XSS) a través de la página 400 Bad Request que se produce en una excepción del analizador de parámetros. • https://access.redhat.com/errata/RHSA-2019:0212 https://access.redhat.com/errata/RHSA-2019:0315 https://github.com/sinatra/sinatra/commit/12786867d6faaceaec62c7c2cb5b0e2dc074d71a https://github.com/sinatra/sinatra/issues/1428 https://access.redhat.com/security/cve/CVE-2018-11627 https://bugzilla.redhat.com/show_bug.cgi?id=1585218 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •