Entreprise française de cybersécurité depuis 2004
☎ 03 60 47 09 81 - info@securiteinfo.com
☎ 03 60 47 09 81 - info@securiteinfo.com
Versions of the package geokit-rails before 2.5.0 are vulnerable to Command Injection due to unsafe deserialisation of YAML within the 'geo_location' cookie. This issue can be exploited remotely via a malicious cookie value. **Note:** An attacker can use this vulnerability to execute commands on the host system.
- https://gist.github.com/CalumHutton/b7aa1c2e71c8d4386463ac14f686901d
- https://security.snyk.io/vuln/SNYK-RUBY-GEOKITRAILS-5920323
- https://github.com/fkie-cad/nvd-json-data-feeds