Cross-Site Scripting Vulnerability in Rails::Html::Sanitizer for Ruby on Rails
CVE-2022-32209

6.1MEDIUM

Key Information:

Vendor

Rubyonrails

Status
Https://github.com/rails/rails-html-sanitizer
Vendor
CVE Published:
24 June 2022

What is CVE-2022-32209?

A Cross-Site Scripting (XSS) vulnerability exists in Rails::Html::Sanitizer that can be exploited when certain configurations allow the inclusion of 'select' and 'style' tags. If an application developer overrides the default settings to permit these tags, attackers may inject malicious content that could compromise user data and integrity. It is crucial for users who have customized the allowed tags for sanitization through any means—such as application configuration or the sanitize helper—to either promptly upgrade to the fixed version or apply workarounds by removing 'select' or 'style' from their configurations.

Affected Version(s)

https://github.com/rails/rails-html-sanitizer v1.4.3

References

https://hackerone.com/reports/1530898
https://lists.fedoraproject.org/archives/list/package-ann...
vendor-advisory
https://lists.fedoraproject.org/archives/list/package-ann...
vendor-advisory

EPSS Score

5% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2022-32209 : Cross-Site Scripting Vulnerability in Rails::Html::Sanitizer for Ruby on Rails