RubySec

Providing security resources for the Ruby community

CVE-2020-16254 (chartkick): CSS injection with width and height options

ADVISORIES

GEM

chartkick

SEVERITY

CVSS v3.x: 6.1 (Medium)

PATCHED VERSIONS

  • >= 3.4.0

DESCRIPTION

Chartkick is vulnerable to CSS injection if user input is passed to the width or height option.

<%= line_chart data, width: params[:width], height: params[:height] %>

An attacker can set additional CSS properties, like:

<%= line_chart data, width: "100%; background-image: url(‘http://example.com/image.png’)" %>

Contact us @rubysec or open an issue on our GitHub repository.

Recent Advisories