CVE-2024-53985Cross-site Scripting in Rails Rails-html-sanitizer

CWE-79Cross-site Scripting6 documents5 sources
Severity
2.3LOWNVD
EPSS
1.6%
top 18.10%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Rails Rails-html-sanitizerRubyonrails Rails Html SanitizersDebian Ruby-rails-html-sanitizer
Timeline
PublishedDec 2

Description

rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. There is a possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer 1.6.0 when used with Rails >= 7.1.0 and Nokogiri < 1.15.7, or 1.16.x < 1.16.8. The XSS vulnerability with certain configurations of Rails::HTML::Sanitizer may allow an attacker to inject content if HTML5 sanitization is enabled and the application developer has overridden the sanitizer's allowed tags with both "math"

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Affected Packages4 packages

RubyGemsrails/rails-html-sanitizer1.6.01.6.1
CVEListV5rails/rails-html-sanitizer>= 1.6.0, < 1.6.1

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

3
OSV
CVE-2024-53985: rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications2024-12-02
OSV
rails-html-sanitize has XSS vulnerability with certain configurations2024-12-02
GHSA
rails-html-sanitize has XSS vulnerability with certain configurations2024-12-02

📋Vendor Advisories

2
Red Hat
rails-html-sanitizer: Possible XSS vulnerability with certain configurations of rails-html-sanitizer 1.6.02024-12-02
Debian
CVE-2024-53985: ruby-rails-html-sanitizer - rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails appli...2024