/tmp file injection vulnerability
A malicious user creating /tmp/out.html first and repeatedly writing to it can inject malicious html into the file right before it is opened. PoC: nobody () sp0rk:/$ while (true); do echo " alert('Hello'); " >> /tmp/out.html; done Will pop up a javascript alert in other gem users browser.