CVE-2020-16254 (chartkick): CSS injection with width and height options

CVE: CVE-2020-16254 ( NVD )
GHSA: GHSA-3j95-fjv2-3m4p
Vendor Advisory: https://github.com/ankane/chartkick/issues/546

CSS injection with width and height options

Published: August 04, 2020

CVSS v3.x: 6.1 (Medium)

>= 3.4.0

Chartkick is vulnerable to CSS injection if user input is passed to the width or height option.

<%= line_chart data, width: params[:width], height: params[:height] %>

An attacker can set additional CSS properties, like:

<%= line_chart data, width: "100%; background-image: url('http://example.com/image.png')" %>