Rubysec

Providing security resources for the Ruby community.
Follow us @rubysec or email us via info at rubysec.com

Advisory Archive

Back

---
gem: field_test
date: 2019-07-01
url: https://github.com/ankane/field_test/issues/17
cve: 2019-13146
title: Arbitrary Variants Via Query Parameters
description: |
  Due to unvalidated input, an attacker can pass in
  arbitrary variants via query parameters.

  If an application treats variants as trusted, this can
  lead to potential vulnerabilities like SQL injection
  or cross-site scripting (XSS). For instance:

  landing_page = field_test(:landing_page)
  Page.where("key = '#{landing_page}'")
unaffected_versions:
- "< 0.3.0"
patched_versions:
- ">= 0.3.1"