CVE-2022-32209
published 2022-06-24CVE-2022-32209: # Possible XSS Vulnerability in Rails::Html::SanitizerThere is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.This…
PriorityP338medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
29.14%
97.9th percentile
# Possible XSS Vulnerability in Rails::Html::SanitizerThere is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.This vulnerability has been assigned the CVE identifier CVE-2022-32209.Versions Affected: ALLNot affected: NONEFixed Versions: v1.4.3## ImpactA possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer may allow an attacker to inject content if the application developer has overridden the sanitizer's allowed tags to allow both `select` and `style` elements.Code is only impacted if allowed tags are being overridden. This may be done via application configuration:```ruby# In config/application.rbconfig.action_view.sanitized_allowed_tags = ["select", "style"]```see https://guides.rubyonrails.org/configuring.html#configuring-action-viewOr it may be done with a `:tags` option to the Action View helper `sanitize`:``````see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitizeOr it may be done with Rails::Html::SafeListSanitizer directly:```ruby# class-level optionRails::Html::SafeListSanitizer.allowed_tags = ["select", "style"]```or```ruby# instance-level optionRails::Html::SafeListSanitizer.new.sanitize(@article.body, tags: ["select", "style"])```All users overriding the allowed tags by any of the above mechanisms to include both "select" and "style" should either upgrade or use one of the workarounds immediately.## ReleasesThe FIXED releases are available at the normal locations.## WorkaroundsRemove either `select` or `style` from the overridden allowed tags.## CreditsThis vulnerability was responsibly reported by [windshock](https://hackerone.com/windshock?type=user).
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | ruby-rails-html-sanitizer | < ruby-rails-html-sanitizer 1.4.4-1 (bookworm) | ruby-rails-html-sanitizer 1.4.4-1 (bookworm) |
| debian | ruby-rails-html-sanitizer | < ruby-rails-html-sanitizer 1.4.3-0.1 (bookworm) | ruby-rails-html-sanitizer 1.4.3-0.1 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| https | github.com_rails_rails-html-sanitizer | — | — |
| rails | rails-html-sanitizer | < 1.4.4 | 1.4.4 |
| rails | rails-html-sanitizer | >= 0 < 1.4.3 | 1.4.3 |
| rails | rails-html-sanitizer | >= 0 < 1.4.4 | 1.4.4 |
| rubyonrails | rails_html_sanitizers | < 1.4.4 | 1.4.4 |
| rubyonrails | rails_html_sanitizers | < 1.4.3 | 1.4.3 |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
ghsa6.1MEDIUM
osv6.1MEDIUM
vendor_debian6.1MEDIUM
vendor_redhat6.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2022-23520: rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications
osv·2022-12-14·CVSS 6.1
CVE-2022-23520 [MEDIUM] CVE-2022-23520: rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications
rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. Prior to version 1.4.4, there is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer due to an incomplete fix of CVE-2022-32209. Rails::Html::Sanitizer may allow an attacker to inject content if the application developer has overridden the sanitizer's allowed tags to allow both "select" and "style" elements. Code is only impacted if allowed tags are being overridden. This issue is patched in version 1.4.4. All users overriding the allowed tags to include both "select" and "style" should either upgrade or use this workaround: Remove either "select" or "style" from the overridden allowed tags. NOTE: Code is _not_ impacted if allowed tags are overridden using either the :tag
OSV
Possible XSS vulnerability with certain configurations of rails-html-sanitizer
osv·2022-12-13·CVSS 6.1
CVE-2022-23520 [MEDIUM] Possible XSS vulnerability with certain configurations of rails-html-sanitizer
Possible XSS vulnerability with certain configurations of rails-html-sanitizer
## Summary
There is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer. This is due to an incomplete fix of CVE-2022-32209.
- Versions affected: ALL
- Not affected: NONE
- Fixed versions: 1.4.4
## Impact
A possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer may allow an attacker to inject content if the application developer has overridden the sanitizer's allowed tags to allow both "select" and "style" elements.
Code is only impacted if allowed tags are being overridden using either of the following two mechanisms:
1. Using the Rails configuration `config.action_view.sanitized_allow_tags=`:
```ruby
# In config/application.rb
config.action_view
GHSA
Possible XSS vulnerability with certain configurations of rails-html-sanitizer
ghsa·2022-12-13·CVSS 6.1
CVE-2022-23520 [MEDIUM] CWE-79 Possible XSS vulnerability with certain configurations of rails-html-sanitizer
Possible XSS vulnerability with certain configurations of rails-html-sanitizer
## Summary
There is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer. This is due to an incomplete fix of CVE-2022-32209.
- Versions affected: ALL
- Not affected: NONE
- Fixed versions: 1.4.4
## Impact
A possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer may allow an attacker to inject content if the application developer has overridden the sanitizer's allowed tags to allow both "select" and "style" elements.
Code is only impacted if allowed tags are being overridden using either of the following two mechanisms:
1. Using the Rails configuration `config.action_view.sanitized_allow_tags=`:
```ruby
# In config/application.rb
config.action_view
GHSA
Rails::Html::Sanitizer vulnerable to Cross-site Scripting
ghsa·2022-06-25
CVE-2022-32209 [MEDIUM] CWE-79 Rails::Html::Sanitizer vulnerable to Cross-site Scripting
Rails::Html::Sanitizer vulnerable to Cross-site Scripting
Versions of Rails::Html::Sanitizer prior to version 1.4.3 are vulnerable to XSS with certain configurations of Rails::Html::Sanitizer which allows an attacker to inject content when the application developer has overridden the sanitizer's allowed tags to allow both `select` and `style` elements. Code is only impacted if allowed tags are being overridden.
This may be done via application configuration: ```ruby# In config/application.rbconfig.action_view.sanitized_allowed_tags = ["select", "style"]```
see https://guides.rubyonrails.org/configuring.html#configuring-action-view
Or it may be done with a `:tags` option to the Action View helper `sanitize`: ``````
see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelp
OSV
Rails::Html::Sanitizer vulnerable to Cross-site Scripting
osv·2022-06-25
CVE-2022-32209 [MEDIUM] Rails::Html::Sanitizer vulnerable to Cross-site Scripting
Rails::Html::Sanitizer vulnerable to Cross-site Scripting
Versions of Rails::Html::Sanitizer prior to version 1.4.3 are vulnerable to XSS with certain configurations of Rails::Html::Sanitizer which allows an attacker to inject content when the application developer has overridden the sanitizer's allowed tags to allow both `select` and `style` elements. Code is only impacted if allowed tags are being overridden.
This may be done via application configuration: ```ruby# In config/application.rbconfig.action_view.sanitized_allowed_tags = ["select", "style"]```
see https://guides.rubyonrails.org/configuring.html#configuring-action-view
Or it may be done with a `:tags` option to the Action View helper `sanitize`: ``````
see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelp
OSV
CVE-2022-32209: # Possible XSS Vulnerability in Rails::Html::SanitizerThere is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer
osv·2022-06-24·CVSS 6.1
CVE-2022-32209 [MEDIUM] CVE-2022-32209: # Possible XSS Vulnerability in Rails::Html::SanitizerThere is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer
# Possible XSS Vulnerability in Rails::Html::SanitizerThere is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.This vulnerability has been assigned the CVE identifier CVE-2022-32209.Versions Affected: ALLNot affected: NONEFixed Versions: v1.4.3## ImpactA possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer may allow an attacker to inject content if the application developer has overridden the sanitizer's allowed tags to allow both `select` and `style` elements.Code is only impacted if allowed tags are being overridden. This may be done via application configuration:```ruby# In config/application.rbconfig.action_view.sanitized_allowed_tags = ["select", "style"]```see https://guides.rubyonrails.org/configuring.html#configuring-ac
Red Hat
rubygem-rails-html-sanitizer: Cross site scripting vulnerability with certain configurations
vendor_redhat·2022-12-13·CVSS 6.1
CVE-2022-23520 [MEDIUM] CWE-79 rubygem-rails-html-sanitizer: Cross site scripting vulnerability with certain configurations
rubygem-rails-html-sanitizer: Cross site scripting vulnerability with certain configurations
rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. Prior to version 1.4.4, there is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer due to an incomplete fix of CVE-2022-32209. Rails::Html::Sanitizer may allow an attacker to inject content if the application developer has overridden the sanitizer's allowed tags to allow both "select" and "style" elements. Code is only impacted if allowed tags are being overridden. This issue is patched in version 1.4.4. All users overriding the allowed tags to include both "select" and "style" should either upgrade or use this workaround: Remove either "select" or "style" from the overridden a
Red Hat
rubygem-rails-html-sanitizer: possible xss with certain configurations
vendor_redhat·2022-06-24·CVSS 6.1
CVE-2022-32209 [MEDIUM] CWE-79 rubygem-rails-html-sanitizer: possible xss with certain configurations
rubygem-rails-html-sanitizer: possible xss with certain configurations
# Possible XSS Vulnerability in Rails::Html::SanitizerThere is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.This vulnerability has been assigned the CVE identifier CVE-2022-32209.Versions Affected: ALLNot affected: NONEFixed Versions: v1.4.3## ImpactA possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer may allow an attacker to inject content if the application developer has overridden the sanitizer's allowed tags to allow both `select` and `style` elements.Code is only impacted if allowed tags are being overridden. This may be done via application configuration:```ruby# In config/application.rbconfig.action_view.sanitized_allowed_tags = ["select", "styl
Debian
CVE-2022-23520: ruby-rails-html-sanitizer - rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails appli...
vendor_debian·2022·CVSS 6.1
CVE-2022-23520 [MEDIUM] CVE-2022-23520: ruby-rails-html-sanitizer - rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails appli...
rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. Prior to version 1.4.4, there is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer due to an incomplete fix of CVE-2022-32209. Rails::Html::Sanitizer may allow an attacker to inject content if the application developer has overridden the sanitizer's allowed tags to allow both "select" and "style" elements. Code is only impacted if allowed tags are being overridden. This issue is patched in version 1.4.4. All users overriding the allowed tags to include both "select" and "style" should either upgrade or use this workaround: Remove either "select" or "style" from the overridden allowed tags. NOTE: Code is _not_ impacted if allowed tags are overridden using either the :tag
Debian
CVE-2022-32209: ruby-rails-html-sanitizer - # Possible XSS Vulnerability in Rails::Html::SanitizerThere is a possible XSS vu...
vendor_debian·2022·CVSS 6.1
CVE-2022-32209 [MEDIUM] CVE-2022-32209: ruby-rails-html-sanitizer - # Possible XSS Vulnerability in Rails::Html::SanitizerThere is a possible XSS vu...
# Possible XSS Vulnerability in Rails::Html::SanitizerThere is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.This vulnerability has been assigned the CVE identifier CVE-2022-32209.Versions Affected: ALLNot affected: NONEFixed Versions: v1.4.3## ImpactA possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer may allow an attacker to inject content if the application developer has overridden the sanitizer's allowed tags to allow both `select` and `style` elements.Code is only impacted if allowed tags are being overridden. This may be done via application configuration:```ruby# In config/application.rbconfig.action_view.sanitized_allowed_tags = ["select", "style"]```see https://guides.rubyonrails.org/configuring.html#configuring-ac
No detection rules found.
No public exploits indexed.
HackerOne
CVE-2022-23520: Incomplete fix for CVE-2022-32209 (XSS in Rails::Html::Sanitizer under certain configurations)
hackerone·2023-01-04·CVSS 6.1
CVE-2022-23520 [MEDIUM] CVE-2022-23520: Incomplete fix for CVE-2022-32209 (XSS in Rails::Html::Sanitizer under certain configurations)
CVE-2022-23520: Incomplete fix for CVE-2022-32209 (XSS in Rails::Html::Sanitizer under certain configurations)
The following is from: https://hackerone.com/reports/1654310
While building a PoC for CVE-2022-32209, I noticed that I could not fix my vulnerable application by updating https://github.com/rails/rails-html-sanitizer from 1.4.2 to 1.4.3 even though the Hackerone report about this vulnerability suggested that this should fix it (see here: https://hackerone.com/reports/1530898).
I built this app with Rails 7.0.3.1 by just running "rails new", adding `config.action_view.sanitized_allowed_tags = ["select", "style"]` to the file `config/application.rb` and creating an endpoint that reflected a parameter after sanitizing it (ERB: `Hello `). When using the payload `alert("XSS")` for t
HackerOne
Incomplete fix for CVE-2022-32209 (XSS in Rails::Html::Sanitizer under certain configurations)
hackerone·2022-12-14·CVSS 6.1
CVE-2022-32209 [MEDIUM] Incomplete fix for CVE-2022-32209 (XSS in Rails::Html::Sanitizer under certain configurations)
Incomplete fix for CVE-2022-32209 (XSS in Rails::Html::Sanitizer under certain configurations)
While building a PoC for CVE-2022-32209, I noticed that I could not fix my vulnerable application by updating https://github.com/rails/rails-html-sanitizer from 1.4.2 to 1.4.3 even though the Hackerone report about this vulnerability suggested that this should fix it (see here: https://hackerone.com/reports/1530898).
I built this app with Rails 7.0.3.1 by just running "rails new", adding `config.action_view.sanitized_allowed_tags = ["select", "style"]` to the file `config/application.rb` and creating an endpoint that reflected a parameter after sanitizing it (ERB: `Hello `). When using the payload `alert("XSS")` for the parameter I got an alert no matter what the version of rails-html-sanitizer
HackerOne
Rails::Html::SafeListSanitizer vulnerable to xss attack in an environment that allows the style tag
hackerone·2022-06-27·CVSS 6.1
[MEDIUM] Rails::Html::SafeListSanitizer vulnerable to xss attack in an environment that allows the style tag
Rails::Html::SafeListSanitizer vulnerable to xss attack in an environment that allows the style tag
It seems to be a problem caused by a difference between the nokogiri java implementation and the ruby implementation.
jruby9.3.3.0 (nokogiri java), use Rails::Html::SafeListSanitizer.new.sanitize, allow select/style tag
code
```
tags = %w(select style)
puts "------------------------------------------------------------------"
puts "use Rails::Html::SafeListSanitizer.new.sanitize, allow select/style tag"
puts "input: Walert(1)"
puts "output: "+Rails::Html::SafeListSanitizer.new.sanitize("Walert(1)", tags: tags).to_s
puts "------------------------------------------------------------------"
```
result
```
input: Walert(1)
scrub --> node type :Nokogiri::XML::Text, node name :text, node to_s :W
https://hackerone.com/reports/1530898https://lists.debian.org/debian-lts-announce/2022/12/msg00012.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AGRLWBEB3S5AU3D4TTROIS7O6QPHDTRH/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NHDACMCLWE32BZZTSNWQPIFUAD5I6Q47/https://hackerone.com/reports/1530898https://lists.debian.org/debian-lts-announce/2022/12/msg00012.htmlhttps://lists.debian.org/debian-lts-announce/2024/09/msg00045.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AGRLWBEB3S5AU3D4TTROIS7O6QPHDTRH/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NHDACMCLWE32BZZTSNWQPIFUAD5I6Q47/
2022-06-24
Published