Rubysec

Providing security resources for the Ruby community.
Follow us @rubysec or email us via info at rubysec.com

Advisory Archive

Back

---
gem: chartkick
date: 2019-06-04
url: https://github.com/ankane/chartkick/issues/488
cve: 2019-12732
title: XSS Vulnerability in Chartkick Ruby Gem
description: |
  Chartkick is vulnerable to a cross-site scripting (XSS) attack if
  both the following conditions are met:

  Condition 1:
    It's used with `ActiveSupport.escape_html_entities_in_json = false`
    (this is not the default for Rails)
    OR used with a non-Rails framework like Sinatra.

  Condition 2:
    Untrusted data or options are passed to a chart.

    <%= line_chart params[:data], min: params[:min] %>
patched_versions:
- ">= 3.2.0"