The twitter-bootstrap-rails Gem for Rails contains a flaw that enables a
reflected cross-site scripting (XSS) attack. This flaw exists because the
bootstrap_flash helper method does not validate input when handling flash
messages before returning it to users. This may allow a context-dependent
attacker to create a specially crafted request that would execute arbitrary
script code in a user's browser session within the trust relationship between
their browser and the server.

References

• https://github.com/rubysec/ruby-advisory-db/blob/master/gems/twitter-bootstrap-rails/CVE-2014-4920.yml
• https://nvisium.com/blog/2014/03/28/reflected-xss-vulnerability-in-twitter