RubySec

Providing security resources for the Ruby community

CVE-2019-13146 (field_test): Arbitrary Variants Via Query Parameters

ADVISORIES

GEM

field_test

SEVERITY

CVSS v3: 5.3

UNAFFECTED VERSIONS

  • < 0.3.0

PATCHED VERSIONS

  • >= 0.3.1

DESCRIPTION

Due to unvalidated input, an attacker can pass in arbitrary variants via query parameters.

If an application treats variants as trusted, this can lead to potential vulnerabilities like SQL injection or cross-site scripting (XSS). For instance:

landing_page = field_test(:landing_page) Page.where(“key = ‘#{landing_page}’”)