EPSS
Percentile
44.6%
Chartkick is vulnerable to Cross-Site Scripting. The JSON data passed to the chartkick_chart function is not properly sanitised, thus allowing an attacker to input malicious data to execute arbitrary Javascript code on the victim’s browser.
chartkick_chart
github.com/ankane/chartkick/commit/cad8cf999b5841e4a3e9a10c88b1a63d8facc858
github.com/ankane/chartkick/issues/488
github.com/rubysec/ruby-advisory-db/blob/master/gems/chartkick/CVE-2019-12732.yml