GHSA-ch3h-j2vf-95pv
Vulnerability from github
There is a possible XSS vulnerability in Action View tag helpers. Passing untrusted input as hash keys can lead to a possible XSS vulnerability. This vulnerability has been assigned the CVE identifier CVE-2022-27777.
Versions Affected: ALL Not affected: NONE Fixed Versions: 7.0.2.4, 6.1.5.1, 6.0.4.8, 5.2.7.1
Impact
If untrusted data is passed as the hash key for tag attributes, there is a possibility that the untrusted data may not be properly escaped which can lead to an XSS vulnerability.
Impacted code will look something like this:
check_box_tag('thename', 'thevalue', false, aria: { malicious_input => 'thevalueofaria' })
Where the "malicious_input" variable contains untrusted data.
All users running an affected release should either upgrade or use one of the workarounds immediately.
Releases
The FIXED releases are available at the normal locations.
Workarounds
Escape the untrusted data before using it as a key for tag helper methods.
{ "affected": [ { "database_specific": { "last_known_affected_version_range": "\u003c= 5.2.7.0" }, "package": { "ecosystem": "RubyGems", "name": "actionview" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "5.2.7.1" } ], "type": "ECOSYSTEM" } ] }, { "database_specific": { "last_known_affected_version_range": "\u003c= 6.0.4.7" }, "package": { "ecosystem": "RubyGems", "name": "actionview" }, "ranges": [ { "events": [ { "introduced": "6.0.0" }, { "fixed": "6.0.4.8" } ], "type": "ECOSYSTEM" } ] }, { "database_specific": { "last_known_affected_version_range": "\u003c= 6.1.5.0" }, "package": { "ecosystem": "RubyGems", "name": "actionview" }, "ranges": [ { "events": [ { "introduced": "6.1.0" }, { "fixed": "6.1.5.1" } ], "type": "ECOSYSTEM" } ] }, { "database_specific": { "last_known_affected_version_range": "\u003c= 7.0.2.3" }, "package": { "ecosystem": "RubyGems", "name": "actionview" }, "ranges": [ { "events": [ { "introduced": "7.0.0" }, { "fixed": "7.0.2.4" } ], "type": "ECOSYSTEM" } ] } ], "aliases": [ "CVE-2022-27777" ], "database_specific": { "cwe_ids": [ "CWE-79" ], "github_reviewed": true, "github_reviewed_at": "2022-04-27T22:32:49Z", "nvd_published_at": "2022-05-26T17:15:00Z", "severity": "MODERATE" }, "details": "There is a possible XSS vulnerability in Action View tag helpers. Passing untrusted input as hash keys can lead to a possible XSS vulnerability. This vulnerability has been assigned the CVE identifier CVE-2022-27777.\n\nVersions Affected: ALL\nNot affected: NONE\nFixed Versions: 7.0.2.4, 6.1.5.1, 6.0.4.8, 5.2.7.1\n\n## Impact\n\nIf untrusted data is passed as the hash key for tag attributes, there is a possibility that the untrusted data may not be properly escaped which can lead to an XSS vulnerability.\n\nImpacted code will look something like this:\n\n```\ncheck_box_tag(\u0027thename\u0027, \u0027thevalue\u0027, false, aria: { malicious_input =\u003e \u0027thevalueofaria\u0027 })\n```\n\nWhere the \"malicious_input\" variable contains untrusted data.\n\nAll users running an affected release should either upgrade or use one of the workarounds immediately.\n\n## Releases\n\nThe FIXED releases are available at the normal locations.\n\n## Workarounds\n\nEscape the untrusted data before using it as a key for tag helper methods.\n", "id": "GHSA-ch3h-j2vf-95pv", "modified": "2023-06-07T15:35:54Z", "published": "2022-04-27T22:32:49Z", "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27777" }, { "type": "WEB", "url": "https://github.com/rails/rails/commit/649516ce0feb699ae06a8c5e81df75d460cc9a85" }, { "type": "WEB", "url": "https://discuss.rubyonrails.org/t/cve-2022-27777-possible-xss-vulnerability-in-action-view-tag-helpers/80534" }, { "type": "PACKAGE", "url": "https://github.com/rails/rails" }, { "type": "WEB", "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2022-27777.yml" }, { "type": "WEB", "url": "https://groups.google.com/g/ruby-security-ann/c/9wJPEDv-iRw" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html" }, { "type": "WEB", "url": "https://rubyonrails.org/2022/4/26/Rails-7-0-2-4-6-1-5-1-6-0-4-8-and-5-2-7-1-have-been-released" }, { "type": "WEB", "url": "https://www.debian.org/security/2023/dsa-5372" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "type": "CVSS_V3" } ], "summary": "XSS Vulnerability in Action View tag helpers" }
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.