CVSS v3.x: 6.4 (Medium)
- >= 1.2.1
There was a vulnerability in versions of Kaminari that would allow an attacker to inject arbitrary code into pages with pagination links.
For example, an attacker could craft pagination links that link to other domain or host: https://example.com/posts?page=4&original_script_name=https://another-host.example.com
The 1.2.1 gem including the patch has already been released. All past released versions are affected by this vulnerability.
Application developers who can’t update the gem can workaround by overriding the
module Kaminari::Helpers PARAM_KEY_EXCEPT_LIST = [:authenticity_token, :commit, :utf8, :_method, :script_name, :original_script_name].freeze end