Description

Chartkick.js 3.1.0 through 3.1.3, as used in the Chartkick gem before 3.3.0 for Ruby, allows prototype pollution.

Remediation

References

https://chartkick.com

https://github.com/ankane/chartkick/commit/b810936bbf687bc74c5b6dba72d2397a399885fa

https://rubygems.org/gems/chartkick/

https://github.com/ankane/chartkick/commits/master

https://github.com/ankane/chartkick/blob/master/CHANGELOG.md

https://github.com/ankane/chartkick.js/issues/117

Related Vulnerabilities

CVE-2020-27885 Vulnerability in maven package org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.store.feature

CVE-2016-10550 Vulnerability in npm package sequelize

CVE-2021-3807 Vulnerability in npm package ansi-regex

CVE-2023-22621 Vulnerability in npm package @strapi/plugin-email

CVE-2022-29894 Vulnerability in npm package strapi

Severity

High

Classification

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Tags

Product Patch Release Notes Third Party Advisory NVD-CWE-noinfo