XSS Vulnerability in Chartkick Ruby Gem
Published: June 04, 2019
SECURITY IDENTIFIERS
- CVE: CVE-2019-12732 (NVD)
- GHSA: GHSA-g45g-g52h-39rg
- Vendor Advisory: https://github.com/ankane/chartkick/issues/488
GEM
SEVERITY
CVSS v3.x: 4.7 (Medium)
PATCHED VERSIONS
>= 3.2.0
DESCRIPTION
Chartkick is vulnerable to a cross-site scripting (XSS) attack if both the following conditions are met:
Condition 1:
It's used with ActiveSupport.escape_html_entities_in_json = false
(this is not the default for Rails)
OR used with a non-Rails framework like Sinatra.
Condition 2: Untrusted data or options are passed to a chart.
<%= line_chart params[:data], min: params[:min] %>