Published 8 months ago
Category: Cross-Site Scripting
Source: GitHub
Severity: Severe

Vulnerability in chartkick

Chartkick is vulnerable to a cross-site scripting (XSS) attack if both the following conditions are met:

Condition 1: It’s used with ActiveSupport.escape_html_entities_in_json = false (this is not the default for Rails) OR used with a non-Rails framework like Sinatra.

Condition 2: Untrusted data or options are passed to a chart.

<%= line_chart params[:data], min: params[:min] %>

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
n/a n/a n/a n/a n/a n/a
Patched Versions

>= 3.2.0

Unaffected Versions