CVSS v3: 4.7
- >= 3.2.0
Chartkick is vulnerable to a cross-site scripting (XSS) attack if both the following conditions are met:
It’s used with
ActiveSupport.escape_html_entities_in_json = false
(this is not the default for Rails)
OR used with a non-Rails framework like Sinatra.
Condition 2: Untrusted data or options are passed to a chart.
<%= line_chart params[:data], min: params[:min] %>