Added CVE-2019-12732 for Chartkick (#391)

ankane · reedloden · commit d6dd0d9a7bf2 · 2019-06-04T17:38:29.000-07:00
diff --git a/gems/chartkick/CVE-2019-12732.yml b/gems/chartkick/CVE-2019-12732.yml
@@ -0,0 +1,21 @@
+---
+gem: chartkick
+cve: 2019-12732
+url: https://github.com/ankane/chartkick/issues/488
+title: XSS Vulnerability in Chartkick Ruby Gem
+date: 2019-06-04
+description: |
+  Chartkick is vulnerable to a cross-site scripting (XSS) attack if
+  both the following conditions are met:
+
+  Condition 1:
+    It's used with `ActiveSupport.escape_html_entities_in_json = false`
+    (this is not the default for Rails)
+    OR used with a non-Rails framework like Sinatra.
+
+  Condition 2:
+    Untrusted data or options are passed to a chart.
+
+    <%= line_chart params[:data], min: params[:min] %>
+patched_versions:
+  - ">= 3.2.0"
