Description

Chartkick.js 3.1.0 through 3.1.3, as used in the Chartkick gem before 3.3.0 for Ruby, allows prototype pollution.

Remediation

References

https://chartkick.com

https://github.com/ankane/chartkick.js/issues/117

https://github.com/ankane/chartkick/blob/master/CHANGELOG.md

https://github.com/ankane/chartkick/commit/b810936bbf687bc74c5b6dba72d2397a399885fa

https://github.com/ankane/chartkick/commits/master

https://rubygems.org/gems/chartkick/

Related Vulnerabilities

CVE-2018-3721 Vulnerability in maven package org.webjars.bower:lodash

CVE-2020-26272 Vulnerability in npm package electron

CVE-2023-48967 Vulnerability in maven package org.noear:solon.serialization.fury

CVE-2019-19771 Vulnerability in npm package riped160

CVE-2021-33623 Vulnerability in npm package trim-newlines

Severity

High

Classification

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Tags

Product Third Party Advisory Release Notes Patch NVD-CWE-noinfo