Prototype Pollution in Chartkick.js 3.1.x
Published: November 09, 2019
SECURITY IDENTIFIERS
- CVE: CVE-2019-18841 (NVD)
- GHSA: GHSA-5pm8-492c-92p5
- Vendor Advisory: https://github.com/ankane/chartkick.js/issues/117
GEM
SEVERITY
CVSS v3.x: 7.3 (High)
UNAFFECTED VERSIONS
< 3.1.0
PATCHED VERSIONS
>= 3.3.0
DESCRIPTION
A specially crafted response in data loaded via URL can cause prototype pollution in JavaScript.