view_component Cross-site Scripting vulnerability
CVE-2024-21636

6.1MEDIUM

Key Information:

Vendor

Viewcomponent

Status
View Component
Vendor
CVE Published:
4 January 2024

What is CVE-2024-21636?

view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. Versions prior to 3.9.0 and 2.83.0 have a cross-site scripting vulnerability that has the potential to impact anyone rendering a component directly from a controller with the view_component gem. Note that only components that define a #call method (i.e. instead of using a sidecar template) are affected. The return value of the #call method is not sanitized and can include user-defined content. In addition, the return value of the #output_postamble methodis not sanitized, which can also lead to cross-site scripting issues. Versions 3.9.0 and 2.83.0 have been released and fully mitigate both the #call and the #output_postamble vulnerabilities. As a workaround, sanitize the return value of #call.

Affected Version(s)

view_component >= 3.0.0, < 3.9.0 < 3.0.0, 3.9.0

view_component < 2.83.0 < 2.83.0

References

https://github.com/ViewComponent/view_component/security/...
x_refsource_CONFIRM
https://github.com/ViewComponent/view_component/pull/1950
x_refsource_MISC
https://github.com/ViewComponent/view_component/pull/1962
x_refsource_MISC

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.