CVE-2022-32209 — Cross-site Scripting in Rails Rails-html-sanitizer
Severity
6.1MEDIUMNVD
EPSS
4.6%
top 10.79%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedJun 24
Latest updateJan 4
Description
# Possible XSS Vulnerability in Rails::Html::SanitizerThere is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.This vulnerability has been assigned the CVE identifier CVE-2022-32209.Versions Affected: ALLNot affected: NONEFixed Versions: v1.4.3## ImpactA possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer may allow an attacker to inject content if the application developer has overridden the sanitizer's allowed tags to allow both `s…
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7
Affected Packages5 packages
Also affects: Debian Linux 10.0, Fedora 35, 36
🔴Vulnerability Details
6OSV▶
CVE-2022-23520: rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications↗2022-12-14
📋Vendor Advisories
4Red Hat▶
rubygem-rails-html-sanitizer: Cross site scripting vulnerability with certain configurations↗2022-12-13
Debian▶
CVE-2022-23520: ruby-rails-html-sanitizer - rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails appli...↗2022
Debian▶
CVE-2022-32209: ruby-rails-html-sanitizer - # Possible XSS Vulnerability in Rails::Html::SanitizerThere is a possible XSS vu...↗2022
💬Community
3HackerOne▶
CVE-2022-23520: Incomplete fix for CVE-2022-32209 (XSS in Rails::Html::Sanitizer under certain configurations)↗2023-01-04
HackerOne▶
Incomplete fix for CVE-2022-32209 (XSS in Rails::Html::Sanitizer under certain configurations)↗2022-12-14
HackerOne▶
Rails::Html::SafeListSanitizer vulnerable to xss attack in an environment that allows the style tag↗2022-06-27