PT-2020-9126 · Unknown · Io.Ratpack:Ratpack-Core

Published

2020-01-27

Updated

2020-01-29

CVE-2019-10770

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions io.ratpack:ratpack-core versions 0.9.10 through 1.7.5

Description The issue affects the development mode error handler when an exception message contains untrusted data, allowing for Cross-site Scripting (XSS). This can be exploited when users do not disable development mode in production. The production mode error handler is not vulnerable.

Recommendations For versions 0.9.10 through 1.7.5, update to version 1.7.6 to resolve the issue. As a temporary workaround, ensure that development mode is disabled in production. Avoid using real customer data (i.e., untrusted user input) in development.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2019-10770

GHSA-R2WF-Q3X4-HRV9

SNYK-JAVA-IORATPACK-534882

Affected Products

Io.Ratpack:Ratpack-Core

PT-2020-9126 · Unknown · Io.Ratpack:Ratpack-Core

CVE-2019-10770

Weakness Enumeration

Related Identifiers

Affected Products

References · 6