CVE-2024-53989Cross-site Scripting in Rails Rails-html-sanitizer

CWE-79Cross-site Scripting6 documents5 sources
Severity
2.3LOWNVD
EPSS
1.7%
top 17.73%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Rails Rails-html-sanitizerRubyonrails Rails Html SanitizersDebian Ruby-rails-html-sanitizer
Timeline
PublishedDec 2

Description

rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. There is a possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer 1.6.0 when used with Rails >= 7.1.0. A possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer may allow an attacker to inject content if HTML5 sanitization is enabled and the application developer has overridden the sanitizer's allowed tags for the the "noscript" element. This vulnerability i

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Affected Packages4 packages

RubyGemsrails/rails-html-sanitizer1.6.01.6.1
CVEListV5rails/rails-html-sanitizer>= 1.6.0, < 1.6.1

Patches

Patch: github.com

🔴Vulnerability Details

3
OSV
CVE-2024-53989: rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications2024-12-02
GHSA
rails-html-sanitizer has XSS vulnerability with certain configurations2024-12-02
OSV
rails-html-sanitizer has XSS vulnerability with certain configurations2024-12-02

📋Vendor Advisories

2
Red Hat
rails-html-sanitizer: Possible XSS vulnerability with certain configurations of rails-html-sanitizer 1.6.02024-12-02
Debian
CVE-2024-53989: ruby-rails-html-sanitizer - rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails appli...2024