The Chartkick Ruby gem is vulnerable to CSS injection if user input is passed to the width or height option. This vulnerability has been assigned the CVE identifier CVE-2020-16254.
Versions Affected: 3.3.2 and below
Fixed Versions: 3.4.0
Impact
Chartkick is vulnerable to CSS injection if user input is passed to the width or height option.
<%= line_chart data, width: params[:width], height: params[:height] %>
An attacker can set additional CSS properties, like:
<%= line_chart data, width: "100%; background-image: url('http://example.com/image.png')" %>All users running an affected release should upgrade.
Technical Details
Chartkick uses ERB::Util.html_escape to escape the width and height. This prevents XSS, but does not escape semicolons, which allows CSS additional properties to be set. Chartkick now limits width and height values to alphanumeric and % (this prevents some valid values like calc() but keeps things simple).
The Chartkick Ruby gem is vulnerable to CSS injection if user input is passed to the
widthorheightoption. This vulnerability has been assigned the CVE identifier CVE-2020-16254.Versions Affected: 3.3.2 and below
Fixed Versions: 3.4.0
Impact
Chartkick is vulnerable to CSS injection if user input is passed to the
widthorheightoption.An attacker can set additional CSS properties, like:
All users running an affected release should upgrade.
Technical Details
Chartkick uses
ERB::Util.html_escapeto escape the width and height. This prevents XSS, but does not escape semicolons, which allows CSS additional properties to be set. Chartkick now limits width and height values to alphanumeric and % (this prevents some valid values likecalc()but keeps things simple).