Under certain conditions, the Chartkick Ruby gem is vulnerable to a cross-site scripting (XSS) attack. This vulnerability has been assigned the CVE identifier CVE-2019-12732.
Versions Affected: 3.1.0 and below
Fixed Versions: 3.2.0
Impact
Chartkick is vulnerable to a cross-site scripting (XSS) attack if BOTH the following conditions are met:
Condition 1: It's used with ActiveSupport.escape_html_entities_in_json = false (this is not the default for Rails) OR used with a non-Rails framework like Sinatra.
Condition 2: Untrusted data or options are passed to a chart.
<%= line_chart params[:data], min: params[:min] %>
Note that your database can also contain untrusted data.
<%= column_chart Visit.group(:user_agent).count %>
All users running an affected release should upgrade immediately.
Under certain conditions, the Chartkick Ruby gem is vulnerable to a cross-site scripting (XSS) attack. This vulnerability has been assigned the CVE identifier CVE-2019-12732.
Versions Affected: 3.1.0 and below
Fixed Versions: 3.2.0
Impact
Chartkick is vulnerable to a cross-site scripting (XSS) attack if BOTH the following conditions are met:
Condition 1: It's used with
ActiveSupport.escape_html_entities_in_json = false(this is not the default for Rails) OR used with a non-Rails framework like Sinatra.Condition 2: Untrusted data or options are passed to a chart.
Note that your database can also contain untrusted data.
All users running an affected release should upgrade immediately.