Cross-site Scripting in view_component

CVE-2022-24722

8.1HIGH

Key Information

Vendor: Github
Status: View Component
Vendor: CVE Published:; 2 March 2022

Summary

VIewComponent is a framework for building view components in Ruby on Rails. Versions prior to 2.31.2 and 2.49.1 contain a cross-site scripting vulnerability that has the potential to impact anyone using translations with the view_component gem. Data received via user input and passed as an interpolation argument to the `translate` method is not properly sanitized before display. Versions 2.31.2 and 2.49.1 have been released and fully mitigate the vulnerability. As a workaround, avoid passing user input to the `translate` function, or sanitize the inputs before passing them.

Affected Version(s)

view_component < 2.31.0, 2.31.2

view_component < 2.32.0, 2.49.1

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Risk change from: 6.1 to: 8.1 - (HIGH)
Feb 22, 2024
Vulnerability published.
Mar 2, 2022
Vulnerability Reserved.
Feb 10, 2022

Collectors

NVD DatabaseMitre Database