Gmcgibbon

**Name of the Vulnerable Software and Affected Versions** Action Pack versions 2.0.0 and later Action Pack versions prior to 5.2 with the provided patch Action Pack versions prior to 6.0 with the provided patch Action Pack versions prior to 6.1 with the provided patch **Description** The issue is related to a possible information disclosure or unintended method execution in Action Pack when using the `redirect to` or `polymorphic url` helper with untrusted user input. This could allow a remote attacker to access confidential data. Vulnerable code may look like `redirect to(params[:some param])`. **Recommendations** For Action Pack version 2.0.0 and later, upgrade to a fixed release or apply one of the provided patches. For Action Pack versions prior to 5.2, apply the 5-2-information-disclosure.patch. For Action Pack versions prior to 6.0, apply the 6-0-information-disclosure.patch. For Action Pack versions prior to 6.1, apply the 6-1-information-disclosure.patch. As a temporary workaround, consider using an allow list for valid parameters passed from the user, such as implementing a `check` function to validate user input before using it in `redirect to`. Alternatively, force the user input to be cast to a string, like `params[:some param].to s`, to minimize the risk of exploitation.