RubySec

Providing security resources for the Ruby community

CVE-2019-12732 (chartkick): XSS Vulnerability in Chartkick Ruby Gem

ADVISORIES

GEM

chartkick

PATCHED VERSIONS

  • >= 3.2.0

DESCRIPTION

Chartkick is vulnerable to a cross-site scripting (XSS) attack if both the following conditions are met:

Condition 1: It’s used with ActiveSupport.escape_html_entities_in_json = false (this is not the default for Rails) OR used with a non-Rails framework like Sinatra.

Condition 2: Untrusted data or options are passed to a chart.

<%= line_chart params[:data], min: params[:min] %>