ADVISORIES
GEM
SEVERITY
CVSS v3.x: 4.7 (Medium)
PATCHED VERSIONS
- >= 3.2.0
DESCRIPTION
Chartkick is vulnerable to a cross-site scripting (XSS) attack if both the following conditions are met:
Condition 1:
It’s used with ActiveSupport.escape_html_entities_in_json = false
(this is not the default for Rails)
OR used with a non-Rails framework like Sinatra.
Condition 2: Untrusted data or options are passed to a chart.
<%= line_chart params[:data], min: params[:min] %>