CVE-2020-16254 : The Chartkick gem through 3.3.2 for Ruby allows Cascading Style Sheets (CSS) Injection (without attribute).

The Chartkick gem through 3.3.2 for Ruby allows Cascading Style Sheets (CSS) Injection (without attribute).

Published 2020-08-05 20:15:15

Updated 2020-08-06 20:33:26

Source MITRE

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2020-16254

Probability of exploitation activity in the next 30 days: 0.08%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 31 % EPSS Score History EPSS FAQ

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.3	MEDIUM	AV:N/AC:M/Au:N/C:N/I:P/A:N	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None
6.1	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	2.8	2.7	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Changed Confidentiality: Low Integrity: Low Availability: None

CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Assigned by: nvd@nist.gov (Primary)

https://github.com/ankane/chartkick

GitHub - ankane/chartkick: Create beautiful JavaScript charts with one line of Ruby
Third Party Advisory
https://github.com/ankane/chartkick/issues/546

CSS injection with width and height options · Issue #546 · ankane/chartkick · GitHub
Exploit;Third Party Advisory

Chartkick Project » Chartkick » For Ruby
Versions up to, including, (<=) 3.3.2
cpe:2.3:a:chartkick_project:chartkick:*:*:*:*:*:ruby:*:*
Matching versions