Danger, danger: High Voltage vulnerability
Version 1.2.0 of high_voltage is a security fix. Please upgrade.
static page gem prior to version 1.2.0 allows attackers to cause the
Rails app to render arbitrary files as if they are Erb. The attacker
can trigger this local file
inclusion (LFI) through the use of URL-encoded Unicode
characters, which bypass the Ruby
Upgrade to version 1.2.0 of high_voltage:
bundle update high_voltage
If you cannot upgrade easily you can instead subclass
HighVoltage::PagesController to override the
method and remove invalid characters manually. More details on
overriding can be
found in the high_voltage
Thanks to Jefferson Venerando for bringing the Unicode exploit to our attention.