Description
Type confusion exists in _cancel_eval Ruby's TclTkIp class method. Attacker passing different type of object than String as "retval" argument can cause arbitrary code execution.
Remediation
References
Related Vulnerabilities
WordPress Plugin Advanced Advertising System PHP Object Injection (1.3.1)
WordPress Plugin Cardinity Payment Gateway for WooCommerce Cross-Site Scripting (3.0.6)
Ruby on Rails Permissions, Privileges, and Access Controls Vulnerability (CVE-2013-0155)
TYPO3 URL Redirection to Untrusted Site ('Open Redirect') Vulnerability (CVE-2010-3669)