Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Possible XSS with Chartkick < 3.2 #245

Closed
ankane opened this issue Jun 4, 2019 · 0 comments
Closed

Possible XSS with Chartkick < 3.2 #245

ankane opened this issue Jun 4, 2019 · 0 comments

Comments

@ankane
Copy link
Owner

ankane commented Jun 4, 2019
edited
Loading

Blazer is impacted by CVE-2019-12732 (ankane/chartkick#488), which can lead to a cross-site scripting (XSS) attack if ActiveSupport.escape_html_entities_in_json is set to false (this is not the default for Rails).

All Blazer users should upgrade Chartkick immediately.

gem 'chartkick', '>= 3.2'

Blazer 2.1.0 has been released that requires Chartkick 3.2 or above.
@ankane ankane closed this as completed Jun 4, 2019
@ankane ankane changed the title XSS Vulnerability in Blazer Ruby Gem Possible XSS with Chartkick < 3.2 Jun 4, 2019
@sandeep-patle1508 sandeep-patle1508 mentioned this issue Jun 13, 2019
Open
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ankane