CVE-2019-13146 (field_test): Arbitrary Variants Via Query Parameters

ADVISORIES

CVE-2019-13146 (NVD)
GHSA-wg9m-gw3h-hg83
Vendor Advisory

GEM

field_test

SEVERITY

CVSS v3.x: 5.3 (Medium)

UNAFFECTED VERSIONS

< 0.3.0

PATCHED VERSIONS

>= 0.3.1

DESCRIPTION

Due to unvalidated input, an attacker can pass in arbitrary variants via query parameters.

If an application treats variants as trusted, this can lead to potential vulnerabilities like SQL injection or cross-site scripting (XSS). For instance:

landing_page = field_test(:landing_page) Page.where("key = ‘#{landing_page}’")

RubySec