Closed
Description
Due to unvalidated input, an attacker can pass in arbitrary variants via query parameters. This vulnerability has been assigned the CVE identifier CVE-2019-13146.
Versions Affected: 0.3.0
Fixed Versions: 0.3.1
Versions Unaffected: < 0.3.0
Impact
If an application treats variants as trusted, this can lead to a variety of potential vulnerabilities like SQL injection or cross-site scripting (XSS). For instance:
landing_page = field_test(:landing_page)
Page.where("key = '#{landing_page}'")All users running an affected release should upgrade immediately.
Metadata
Metadata
Assignees
Labels
No labels