CSS Injection

Affecting chartkick gem, versions <3.4.0

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

chartkick is a Ruby gem that allows creation of JavaScript charts.

Affected versions of this package are vulnerable to CSS Injection. Chartkick is vulnerable to CSS injection if user input is passed to the width or height option.

<%= line_chart data, width: params[:width], height: params[:height] %>

An attacker can set additional CSS properties, like:

<%= line_chart data, width: "100%; background-image: url('http://example.com/image.png')" %>

Remediation

Upgrade chartkick to version 3.4.0 or higher.

References

CVSS Score

8.2
high severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    Low
  • Availability
    None
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Credit
Unknown
CVE
CVE-2020-16254
CWE
CWE-74
Snyk ID
SNYK-RUBY-CHARTKICK-597471
Disclosed
06 Aug, 2020
Published
06 Aug, 2020