GHSA-pg8v-g4xq-hww9
Vulnerability from github
Published
2022-06-25 00:00
Modified
2022-07-07 17:13
Summary
Rails::Html::Sanitizer vulnerable to Cross-site Scripting
Details

Versions of Rails::Html::Sanitizer prior to version 1.4.3 are vulnerable to XSS with certain configurations of Rails::Html::Sanitizer which allows an attacker to inject content when the application developer has overridden the sanitizer's allowed tags to allow both select and style elements. Code is only impacted if allowed tags are being overridden.

This may be done via application configuration: ruby# In config/application.rbconfig.action_view.sanitized_allowed_tags = ["select", "style"]

see https://guides.rubyonrails.org/configuring.html#configuring-action-view

Or it may be done with a :tags option to the Action View helper sanitize: <%= sanitize @comment.body, tags: ["select", "style"] %>

see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize

It may also be done with Rails::Html::SafeListSanitizer directly: ruby# class-level optionRails::Html::SafeListSanitizer.allowed_tags = ["select", "style"] or with ruby# instance-level optionRails::Html::SafeListSanitizer.new.sanitize(@article.body, tags: ["select", "style"])

All users overriding the allowed tags by any of the above mechanisms to include both "select" and "style" are recommended to upgrade immediately. A workaround for this issue can be applied by removing either select or style from the overridden allowed tags.

Show details on source website


{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "rails-html-sanitizer"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.4.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-32209"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-05T18:10:35Z",
    "nvd_published_at": "2022-06-24T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Versions of Rails::Html::Sanitizer prior to version 1.4.3 are vulnerable to XSS with certain configurations of Rails::Html::Sanitizer which  allows an attacker to inject content when the application developer has overridden the sanitizer\u0027s allowed tags to allow both `select` and `style` elements. Code is only impacted if allowed tags are being overridden. \n\nThis may be done via application configuration: ```ruby# In config/application.rbconfig.action_view.sanitized_allowed_tags = [\"select\", \"style\"]```\n\nsee https://guides.rubyonrails.org/configuring.html#configuring-action-view\n\nOr it may be done with a `:tags` option to the Action View helper `sanitize`: ```\u003c%= sanitize @comment.body, tags: [\"select\", \"style\"] %\u003e``` \n\nsee https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize \n\nIt may also be done with Rails::Html::SafeListSanitizer directly: \n```ruby# class-level optionRails::Html::SafeListSanitizer.allowed_tags = [\"select\", \"style\"]```  or with\n```ruby# instance-level optionRails::Html::SafeListSanitizer.new.sanitize(@article.body, tags: [\"select\", \"style\"])```\n\nAll users overriding the allowed tags by any of the above mechanisms to include both \"select\" and \"style\" are recommended to upgrade immediately. A workaround for this issue can be applied by removing either `select` or `style` from the overridden allowed tags.",
  "id": "GHSA-pg8v-g4xq-hww9",
  "modified": "2022-07-07T17:13:54Z",
  "published": "2022-06-25T00:00:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32209"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rails/rails-html-sanitizer/commit/45a5c10fed3d9aa141594c80afa06d748fa0967d"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/1530898"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/rails/rails-html-sanitizer"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2022-32209.yml"
    },
    {
      "type": "WEB",
      "url": "https://groups.google.com/g/rubyonrails-security/c/ce9PhUANQ6s"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00012.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AGRLWBEB3S5AU3D4TTROIS7O6QPHDTRH"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NHDACMCLWE32BZZTSNWQPIFUAD5I6Q47"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AGRLWBEB3S5AU3D4TTROIS7O6QPHDTRH"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NHDACMCLWE32BZZTSNWQPIFUAD5I6Q47"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Rails::Html::Sanitizer vulnerable to Cross-site Scripting"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading...

Loading...

Loading...

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.