---
gem: field_test
cve: 2019-13146
url: https://github.com/ankane/field_test/issues/17
title: Arbitrary Variants Via Query Parameters
date: 2019-07-01
description: |
  Due to unvalidated input, an attacker can pass in
  arbitrary variants via query parameters.

  If an application treats variants as trusted, this can
  lead to potential vulnerabilities like SQL injection
  or cross-site scripting (XSS). For instance:

  landing_page = field_test(:landing_page)
  Page.where("key = '#{landing_page}'")
patched_versions:
  - ">= 0.3.1"
unaffected_versions:
  - "< 0.3.0"