CVE-2023-26153 (geokit-rails): geokit-rails Command Injection vulnerability

Ruby Security Advisory

Versions of the package geokit-rails before 2.5.0 are vulnerable
to Command Injection due to unsafe deserialisation of YAML within
the ‘geo_location’ cookie. This issue can be exploited remotely
via a malicious cookie value.


An attacker can use this vulnerability to execute commands
on the host system.