Published: 14/12/2022 Updated: 01/02/2024

CVSS v3 Base Score: 6.1 | Impact Score: 2.7 | Exploitability Score: 2.8

VMScore: 0

rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. Prior to version 1.4.4, there is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer due to an incomplete fix of CVE-2022-32209. Rails::Html::Sanitizer may allow an malicious user to inject content if the application developer has overridden the sanitizer's allowed tags to allow both "select" and "style" elements. Code is only impacted if allowed tags are being overridden. This issue is patched in version 1.4.4. All users overriding the allowed tags to include both "select" and "style" should either upgrade or use this workaround: Remove either "select" or "style" from the overridden allowed tags. NOTE: Code is _not_ impacted if allowed tags are overridden using either the :tags option to the Action View helper method sanitize or the :tags option to the instance method SafeListSanitizer#sanitize.

Vulnerable Product	Search on Vulmon	Subscribe to Product
rubyonrails rails html sanitizers
debian debian linux 10.0

Synopsis Important: Satellite 613 Release Type/Severity Security Advisory: Important Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update is now available for Red Hat Satellite 613 The release contains anew version of Satellite and important security fixes ...

Debian Bug report logs - #1027153 ruby-rails-html-sanitizer: CVE-2022-23517 CVE-2022-23518 CVE-2022-23519 CVE-2022-23520 Package: src:ruby-rails-html-sanitizer; Maintainer for src:ruby-rails-html-sanitizer is Debian Ruby Team <pkg-ruby-extras-maintainers@listsaliothdebianorg>; Reported by: Moritz Mühlenhoff <jmm@inutil ...

DescriptionThe MITRE CVE dictionary describes this issue as: rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications Prior to version 144, there is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer due to an incomplete fix of CVE-2022-32209 Rails::Html::Sanitizer may allow an atta ...

Scans Software Bill of Materials (SBOMs) for security vulnerabilities

bomber is an application that scans SBOMs for security vulnerabilities Overview So you've asked a vendor for an Software Bill of Materials (SBOM) for one of their closed source products, and they provided one to you in a JSON file now what? The first thing you're going to want to do is see if any of the components listed inside the SBOM have security vulnerabiliti

CWE-79 https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-rrfc-7g8p-99q8 https://hackerone.com/reports/1654310 https://lists.debian.org/debian-lts-announce/2023/09/msg00012.html https://access.redhat.com/errata/RHSA-2023:2097 https://nvd.nist.gov https://github.com/devops-kung-fu/bomber https://access.redhat.com/security/cve/cve-2022-23520

CVE-2022-23520

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Github Repositories

References

Vulmon Search

About

Products

Connect