{"id":"CVE-2023-26153","details":"Versions of the package geokit-rails before 2.5.0 are vulnerable to Command Injection due to unsafe deserialisation of YAML within the 'geo_location' cookie. This issue can be exploited remotely via a malicious cookie value.\r\r**Note:**\r\r An attacker can use this vulnerability to execute commands on the host system.","aliases":["GHSA-7xvc-v44j-46fh"],"modified":"2026-04-02T08:52:50.443863Z","published":"2023-10-06T05:15:52.803Z","references":[{"type":"WEB","url":"https://github.com/geokit/geokit-rails/blob/master/lib/geokit-rails/ip_geocode_lookup.rb%23L37"},{"type":"FIX","url":"https://github.com/geokit/geokit-rails/commit/7ffc5813e57f6f417987043e1039925fd0865c43"},{"type":"FIX","url":"https://github.com/geokit/geokit-rails/commit/a93dfe49fb9aeae7164e2f8c4041450a04b5482f"},{"type":"FIX","url":"https://security.snyk.io/vuln/SNYK-RUBY-GEOKITRAILS-5920323"},{"type":"EVIDENCE","url":"https://gist.github.com/CalumHutton/b7aa1c2e71c8d4386463ac14f686901d"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/geokit/geokit-rails","events":[{"introduced":"0"},{"fixed":"7ffc5813e57f6f417987043e1039925fd0865c43"}]},{"type":"GIT","repo":"https://github.com/geokit/geokit-rails","events":[{"introduced":"0"},{"fixed":"a93dfe49fb9aeae7164e2f8c4041450a04b5482f"}]},{"type":"GIT","repo":"https://github.com/geokit/geokit-rails","events":[{"introduced":"0"},{"fixed":"7ffc5813e57f6f417987043e1039925fd0865c43"}]},{"type":"GIT","repo":"https://github.com/geokit/geokit-rails","events":[{"introduced":"0"},{"fixed":"a93dfe49fb9aeae7164e2f8c4041450a04b5482f"}]}],"versions":["v2.0.0","v2.0.1","v2.1.0","v2.2.0","v2.3.0","v2.3.1"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"fixed":"2.5.0"}]},{"events":[{"introduced":"0"},{"fixed":"2.5.0"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-26153.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}