Django REST framework

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

Vulnerability_idVCID-apxn-up79-x3ge
Summary
rails-html-sanitizer has XSS vulnerability with certain configurations
## Summary

There is a possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer 1.6.0 when used with Rails >= 7.1.0.

* Versions affected: 1.6.0
* Not affected: < 1.6.0
* Fixed versions: 1.6.1

## Impact

A possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer may allow an attacker to inject content if HTML5 sanitization is enabled and the application developer has overridden the sanitizer's allowed tags in the following way:

- the "noscript" element is explicitly allowed

Code is only impacted if Rails is configured to use HTML5 sanitization, please see documentation for [`config.action_view.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-view-sanitizer-vendor) and [`config.action_text.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-text-sanitizer-vendor) for more information on these configuration options.

The default configuration is to disallow all of these elements. Code is only impacted if allowed tags are being overridden. Applications may be doing this in a few different ways:

1. using application configuration to configure Action View sanitizers' allowed tags:

  ```ruby
  # In config/application.rb
  config.action_view.sanitized_allowed_tags = ["noscript"]
  ```

  see https://guides.rubyonrails.org/configuring.html#configuring-action-view

2. using a `:tags` option to the Action View helper `sanitize`:

  ```
  <%= sanitize @comment.body, tags: ["noscript"] %>
  ```

  see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize

3. setting Rails::HTML5::SafeListSanitizer class attribute `allowed_tags`:

  ```ruby
  # class-level option
  Rails::HTML5::SafeListSanitizer.allowed_tags = ["noscript"]
  ```

  (note that this class may also be referenced as `Rails::Html::SafeListSanitizer`)

4. using a `:tags` options to the Rails::HTML5::SafeListSanitizer instance method `sanitize`:

  ```ruby
  # instance-level option
  Rails::HTML5::SafeListSanitizer.new.sanitize(@article.body, tags: ["noscript"])
  ```

  (note that this class may also be referenced as `Rails::Html::SafeListSanitizer`)

5. setting ActionText::ContentHelper module attribute `allowed_tags`:

  ```ruby
  ActionText::ContentHelper.allowed_tags = ["noscript"]
  ```

All users overriding the allowed tags by any of the above mechanisms to include "noscript" should either upgrade or use one of the workarounds.


## Workarounds

Any one of the following actions will work around this issue:

- Remove "noscript" from the overridden allowed tags,
- Or, downgrade sanitization to HTML4 (see documentation for [`config.action_view.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-view-sanitizer-vendor) and [`config.action_text.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-text-sanitizer-vendor) for more information).


## References

- [CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)](https://cwe.mitre.org/data/definitions/79.html)
- Original report: https://hackerone.com/reports/2509647

## Credit

This vulnerability was responsibly reported by So Sakaguchi ([mokusou](https://hackerone.com/mokusou)) and [taise](https://hackerone.com/taise).
Aliases
0
alias CVE-2024-53989
1
alias GHSA-rxv5-gxqc-xx8g
Fixed_packages
0
url pkg:deb/debian/ruby-rails-html-sanitizer@0?distro=trixie
purl pkg:deb/debian/ruby-rails-html-sanitizer@0?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rails-html-sanitizer@0%3Fdistro=trixie
1
url pkg:deb/debian/ruby-rails-html-sanitizer@1.3.0-1?distro=trixie
purl pkg:deb/debian/ruby-rails-html-sanitizer@1.3.0-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rails-html-sanitizer@1.3.0-1%3Fdistro=trixie
2
url pkg:deb/debian/ruby-rails-html-sanitizer@1.4.4-1?distro=trixie
purl pkg:deb/debian/ruby-rails-html-sanitizer@1.4.4-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rails-html-sanitizer@1.4.4-1%3Fdistro=trixie
3
url pkg:deb/debian/ruby-rails-html-sanitizer@1.6.2-1?distro=trixie
purl pkg:deb/debian/ruby-rails-html-sanitizer@1.6.2-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rails-html-sanitizer@1.6.2-1%3Fdistro=trixie
4
url pkg:deb/debian/ruby-rails-html-sanitizer@1.7.0-1?distro=trixie
purl pkg:deb/debian/ruby-rails-html-sanitizer@1.7.0-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rails-html-sanitizer@1.7.0-1%3Fdistro=trixie
5
url pkg:gem/rails-html-sanitizer@1.6.1
purl pkg:gem/rails-html-sanitizer@1.6.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rails-html-sanitizer@1.6.1
Affected_packages
0
url pkg:gem/rails-html-sanitizer@1.0.0
purl pkg:gem/rails-html-sanitizer@1.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ece-9xu2-z7ea
1
vulnerability VCID-327c-vdne-j7ar
2
vulnerability VCID-6158-4ade-h7ba
3
vulnerability VCID-63em-3vdj-j3cu
4
vulnerability VCID-782b-usu3-bbhd
5
vulnerability VCID-apxn-up79-x3ge
6
vulnerability VCID-cphr-tdzs-x7ar
7
vulnerability VCID-ete9-xwuw-puf8
8
vulnerability VCID-nc6s-6usd-gkeb
9
vulnerability VCID-rhb1-h2b8-jucb
10
vulnerability VCID-rz3c-6h7r-6bam
11
vulnerability VCID-ueen-aybd-tqh2
12
vulnerability VCID-xby9-avva-a3e5
13
vulnerability VCID-zcs7-hzze-u3a5
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rails-html-sanitizer@1.0.0
1
url pkg:gem/rails-html-sanitizer@1.0.1
purl pkg:gem/rails-html-sanitizer@1.0.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ece-9xu2-z7ea
1
vulnerability VCID-327c-vdne-j7ar
2
vulnerability VCID-6158-4ade-h7ba
3
vulnerability VCID-63em-3vdj-j3cu
4
vulnerability VCID-782b-usu3-bbhd
5
vulnerability VCID-apxn-up79-x3ge
6
vulnerability VCID-cphr-tdzs-x7ar
7
vulnerability VCID-ete9-xwuw-puf8
8
vulnerability VCID-nc6s-6usd-gkeb
9
vulnerability VCID-rhb1-h2b8-jucb
10
vulnerability VCID-rz3c-6h7r-6bam
11
vulnerability VCID-ueen-aybd-tqh2
12
vulnerability VCID-xby9-avva-a3e5
13
vulnerability VCID-zcs7-hzze-u3a5
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rails-html-sanitizer@1.0.1
2
url pkg:gem/rails-html-sanitizer@1.0.2
purl pkg:gem/rails-html-sanitizer@1.0.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ece-9xu2-z7ea
1
vulnerability VCID-327c-vdne-j7ar
2
vulnerability VCID-6158-4ade-h7ba
3
vulnerability VCID-63em-3vdj-j3cu
4
vulnerability VCID-782b-usu3-bbhd
5
vulnerability VCID-an3h-1c9y-f3bp
6
vulnerability VCID-apxn-up79-x3ge
7
vulnerability VCID-cphr-tdzs-x7ar
8
vulnerability VCID-ete9-xwuw-puf8
9
vulnerability VCID-nc6s-6usd-gkeb
10
vulnerability VCID-rhb1-h2b8-jucb
11
vulnerability VCID-rz3c-6h7r-6bam
12
vulnerability VCID-ueen-aybd-tqh2
13
vulnerability VCID-ujza-s7ug-9fcp
14
vulnerability VCID-xby9-avva-a3e5
15
vulnerability VCID-zcs7-hzze-u3a5
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rails-html-sanitizer@1.0.2
3
url pkg:gem/rails-html-sanitizer@1.0.3
purl pkg:gem/rails-html-sanitizer@1.0.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-63em-3vdj-j3cu
1
vulnerability VCID-782b-usu3-bbhd
2
vulnerability VCID-apxn-up79-x3ge
3
vulnerability VCID-cphr-tdzs-x7ar
4
vulnerability VCID-ete9-xwuw-puf8
5
vulnerability VCID-rhb1-h2b8-jucb
6
vulnerability VCID-rz3c-6h7r-6bam
7
vulnerability VCID-ueen-aybd-tqh2
8
vulnerability VCID-wxfr-bs81-augc
9
vulnerability VCID-xby9-avva-a3e5
10
vulnerability VCID-zcs7-hzze-u3a5
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rails-html-sanitizer@1.0.3
4
url pkg:gem/rails-html-sanitizer@1.0.4
purl pkg:gem/rails-html-sanitizer@1.0.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-63em-3vdj-j3cu
1
vulnerability VCID-782b-usu3-bbhd
2
vulnerability VCID-apxn-up79-x3ge
3
vulnerability VCID-cphr-tdzs-x7ar
4
vulnerability VCID-ete9-xwuw-puf8
5
vulnerability VCID-rhb1-h2b8-jucb
6
vulnerability VCID-rz3c-6h7r-6bam
7
vulnerability VCID-ueen-aybd-tqh2
8
vulnerability VCID-wxfr-bs81-augc
9
vulnerability VCID-zcs7-hzze-u3a5
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rails-html-sanitizer@1.0.4
5
url pkg:gem/rails-html-sanitizer@1.1.0
purl pkg:gem/rails-html-sanitizer@1.1.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-63em-3vdj-j3cu
1
vulnerability VCID-782b-usu3-bbhd
2
vulnerability VCID-apxn-up79-x3ge
3
vulnerability VCID-cphr-tdzs-x7ar
4
vulnerability VCID-ete9-xwuw-puf8
5
vulnerability VCID-rhb1-h2b8-jucb
6
vulnerability VCID-rz3c-6h7r-6bam
7
vulnerability VCID-ueen-aybd-tqh2
8
vulnerability VCID-wxfr-bs81-augc
9
vulnerability VCID-zcs7-hzze-u3a5
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rails-html-sanitizer@1.1.0
6
url pkg:gem/rails-html-sanitizer@1.2.0
purl pkg:gem/rails-html-sanitizer@1.2.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-63em-3vdj-j3cu
1
vulnerability VCID-782b-usu3-bbhd
2
vulnerability VCID-apxn-up79-x3ge
3
vulnerability VCID-cphr-tdzs-x7ar
4
vulnerability VCID-ete9-xwuw-puf8
5
vulnerability VCID-rhb1-h2b8-jucb
6
vulnerability VCID-rz3c-6h7r-6bam
7
vulnerability VCID-ueen-aybd-tqh2
8
vulnerability VCID-wxfr-bs81-augc
9
vulnerability VCID-zcs7-hzze-u3a5
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rails-html-sanitizer@1.2.0
7
url pkg:gem/rails-html-sanitizer@1.3.0
purl pkg:gem/rails-html-sanitizer@1.3.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-63em-3vdj-j3cu
1
vulnerability VCID-782b-usu3-bbhd
2
vulnerability VCID-apxn-up79-x3ge
3
vulnerability VCID-cphr-tdzs-x7ar
4
vulnerability VCID-ete9-xwuw-puf8
5
vulnerability VCID-rhb1-h2b8-jucb
6
vulnerability VCID-rz3c-6h7r-6bam
7
vulnerability VCID-ueen-aybd-tqh2
8
vulnerability VCID-wxfr-bs81-augc
9
vulnerability VCID-zcs7-hzze-u3a5
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rails-html-sanitizer@1.3.0
8
url pkg:gem/rails-html-sanitizer@1.4.0
purl pkg:gem/rails-html-sanitizer@1.4.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-63em-3vdj-j3cu
1
vulnerability VCID-782b-usu3-bbhd
2
vulnerability VCID-apxn-up79-x3ge
3
vulnerability VCID-cphr-tdzs-x7ar
4
vulnerability VCID-ete9-xwuw-puf8
5
vulnerability VCID-rhb1-h2b8-jucb
6
vulnerability VCID-rz3c-6h7r-6bam
7
vulnerability VCID-ueen-aybd-tqh2
8
vulnerability VCID-wxfr-bs81-augc
9
vulnerability VCID-zcs7-hzze-u3a5
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rails-html-sanitizer@1.4.0
9
url pkg:gem/rails-html-sanitizer@1.4.1
purl pkg:gem/rails-html-sanitizer@1.4.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-63em-3vdj-j3cu
1
vulnerability VCID-782b-usu3-bbhd
2
vulnerability VCID-apxn-up79-x3ge
3
vulnerability VCID-cphr-tdzs-x7ar
4
vulnerability VCID-ete9-xwuw-puf8
5
vulnerability VCID-rhb1-h2b8-jucb
6
vulnerability VCID-rz3c-6h7r-6bam
7
vulnerability VCID-ueen-aybd-tqh2
8
vulnerability VCID-wxfr-bs81-augc
9
vulnerability VCID-zcs7-hzze-u3a5
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rails-html-sanitizer@1.4.1
10
url pkg:gem/rails-html-sanitizer@1.4.2
purl pkg:gem/rails-html-sanitizer@1.4.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-63em-3vdj-j3cu
1
vulnerability VCID-782b-usu3-bbhd
2
vulnerability VCID-apxn-up79-x3ge
3
vulnerability VCID-cphr-tdzs-x7ar
4
vulnerability VCID-ete9-xwuw-puf8
5
vulnerability VCID-rhb1-h2b8-jucb
6
vulnerability VCID-rz3c-6h7r-6bam
7
vulnerability VCID-ueen-aybd-tqh2
8
vulnerability VCID-wxfr-bs81-augc
9
vulnerability VCID-zcs7-hzze-u3a5
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rails-html-sanitizer@1.4.2
11
url pkg:gem/rails-html-sanitizer@1.4.3
purl pkg:gem/rails-html-sanitizer@1.4.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-63em-3vdj-j3cu
1
vulnerability VCID-782b-usu3-bbhd
2
vulnerability VCID-apxn-up79-x3ge
3
vulnerability VCID-cphr-tdzs-x7ar
4
vulnerability VCID-rhb1-h2b8-jucb
5
vulnerability VCID-rz3c-6h7r-6bam
6
vulnerability VCID-ueen-aybd-tqh2
7
vulnerability VCID-wxfr-bs81-augc
8
vulnerability VCID-zcs7-hzze-u3a5
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rails-html-sanitizer@1.4.3
12
url pkg:gem/rails-html-sanitizer@1.4.4
purl pkg:gem/rails-html-sanitizer@1.4.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-apxn-up79-x3ge
1
vulnerability VCID-cphr-tdzs-x7ar
2
vulnerability VCID-rhb1-h2b8-jucb
3
vulnerability VCID-rz3c-6h7r-6bam
4
vulnerability VCID-ueen-aybd-tqh2
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rails-html-sanitizer@1.4.4
13
url pkg:gem/rails-html-sanitizer@1.5.0
purl pkg:gem/rails-html-sanitizer@1.5.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-apxn-up79-x3ge
1
vulnerability VCID-cphr-tdzs-x7ar
2
vulnerability VCID-rhb1-h2b8-jucb
3
vulnerability VCID-rz3c-6h7r-6bam
4
vulnerability VCID-ueen-aybd-tqh2
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rails-html-sanitizer@1.5.0
14
url pkg:gem/rails-html-sanitizer@1.6.0.rc1
purl pkg:gem/rails-html-sanitizer@1.6.0.rc1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-apxn-up79-x3ge
1
vulnerability VCID-cphr-tdzs-x7ar
2
vulnerability VCID-rhb1-h2b8-jucb
3
vulnerability VCID-rz3c-6h7r-6bam
4
vulnerability VCID-ueen-aybd-tqh2
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rails-html-sanitizer@1.6.0.rc1
15
url pkg:gem/rails-html-sanitizer@1.6.0.rc2
purl pkg:gem/rails-html-sanitizer@1.6.0.rc2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-apxn-up79-x3ge
1
vulnerability VCID-cphr-tdzs-x7ar
2
vulnerability VCID-rhb1-h2b8-jucb
3
vulnerability VCID-rz3c-6h7r-6bam
4
vulnerability VCID-ueen-aybd-tqh2
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rails-html-sanitizer@1.6.0.rc2
16
url pkg:gem/rails-html-sanitizer@1.6.0
purl pkg:gem/rails-html-sanitizer@1.6.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-apxn-up79-x3ge
1
vulnerability VCID-cphr-tdzs-x7ar
2
vulnerability VCID-rhb1-h2b8-jucb
3
vulnerability VCID-rz3c-6h7r-6bam
4
vulnerability VCID-ueen-aybd-tqh2
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rails-html-sanitizer@1.6.0
References
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-53989.json
reference_id
reference_type
scores
0
value 3.1
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-53989.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-53989
reference_id
reference_type
scores
0
value 0.01691
scoring_system epss
scoring_elements 0.82267
published_at 2026-04-16T12:55:00Z
1
value 0.01691
scoring_system epss
scoring_elements 0.8223
published_at 2026-04-13T12:55:00Z
2
value 0.01691
scoring_system epss
scoring_elements 0.82236
published_at 2026-04-12T12:55:00Z
3
value 0.01691
scoring_system epss
scoring_elements 0.82244
published_at 2026-04-11T12:55:00Z
4
value 0.01691
scoring_system epss
scoring_elements 0.82224
published_at 2026-04-09T12:55:00Z
5
value 0.01691
scoring_system epss
scoring_elements 0.82217
published_at 2026-04-08T12:55:00Z
6
value 0.01691
scoring_system epss
scoring_elements 0.82191
published_at 2026-04-07T12:55:00Z
7
value 0.01691
scoring_system epss
scoring_elements 0.82195
published_at 2026-04-04T12:55:00Z
8
value 0.01691
scoring_system epss
scoring_elements 0.82174
published_at 2026-04-02T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-53989
2
reference_url https://github.com/rails/rails-html-sanitizer
reference_id
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rails/rails-html-sanitizer
3
reference_url https://github.com/rails/rails-html-sanitizer/commit/16251735e36ebdc302e2f90f2a39cad56879414f
reference_id
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-03T14:35:22Z/
url https://github.com/rails/rails-html-sanitizer/commit/16251735e36ebdc302e2f90f2a39cad56879414f
4
reference_url https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-rxv5-gxqc-xx8g
reference_id
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
1
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
2
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
3
value LOW
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-03T14:35:22Z/
url https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-rxv5-gxqc-xx8g
5
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2024-53989.yml
reference_id
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2024-53989.yml
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-53989
reference_id
reference_type
scores
0
value 2.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-53989
7
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2330055
reference_id 2330055
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2330055
8
reference_url https://github.com/advisories/GHSA-rxv5-gxqc-xx8g
reference_id GHSA-rxv5-gxqc-xx8g
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-rxv5-gxqc-xx8g
Weaknesses
0
cwe_id 79
name Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
description The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
1
cwe_id 937
name OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.
2
cwe_id 1035
name OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.
Exploits
Severity_range_score0.1 - 3.1
Exploitability0.5
Weighted_severity2.8
Risk_score1.4
Resource_urlhttp://public2.vulnerablecode.io/vulnerabilities/VCID-apxn-up79-x3ge