1. Critical XSS Flaw in Dashboard Controller Exposes Users to Cookie-Based JavaScript Injection via Unescaped Font Parameter
A critical cross-site scripting vulnerability has been identified in the application's dashboard controller, stemming from unsanitized user input persisted through cookies. The flaw allowed attacker-controlled `params[:font]` values to be stored in `cookies[:font]` and subsequently injected—without escaping—into an inl...