From 772643579534356e5681a941d43feb25d7c4bb9c Mon Sep 17 00:00:00 2001
From: Andrew Kane <andrew@chartkick.com>
Date: Tue, 4 Jun 2019 12:13:33 -0700
Subject: [PATCH] Added CVE-2019-12732 for Chartkick

---
 gems/chartkick/CVE-2019-12732.yml | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)
 create mode 100644 gems/chartkick/CVE-2019-12732.yml

diff --git a/gems/chartkick/CVE-2019-12732.yml b/gems/chartkick/CVE-2019-12732.yml
new file mode 100644
index 0000000000..03369ad070
--- /dev/null
+++ b/gems/chartkick/CVE-2019-12732.yml
@@ -0,0 +1,21 @@
+---
+gem: chartkick
+cve: 2019-12732
+url: https://github.com/ankane/chartkick/issues/488
+title: XSS Vulnerability in Chartkick Ruby Gem
+date: 2019-06-04
+description: |
+  Chartkick is vulnerable to a cross-site scripting (XSS) attack if
+  both the following conditions are met:
+
+  Condition 1:
+    It's used with `ActiveSupport.escape_html_entities_in_json = false`
+    (this is not the default for Rails)
+    OR used with a non-Rails framework like Sinatra.
+
+  Condition 2:
+    Untrusted data or options are passed to a chart.
+
+    <%= line_chart params[:data], min: params[:min] %>
+patched_versions:
+  - ">= 3.2.0"