VulnerableCode Package Details - pkg:gem/view

Search for packages

Vulnerability	Summary	Fixed by
VCID-fk74-z1fr-1uem Aliases: CVE-2024-21636 GHSA-wf2x-8w6j-qw37	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. Versions prior to 3.9.0 have a cross-site scripting vulnerability that has the potential to impact anyone rendering a component directly from a controller with the view_component gem. Note that only components that define a `#call` method (i.e. instead of using a sidecar template) are affected. The return value of the `#call` method is not sanitized and can include user-defined content. In addition, the return value of the `#output_postamble` methodis not sanitized, which can also lead to cross-site scripting issues. Versions 3.9.0 has been released and fully mitigates both the `#call` and the `#output_postamble` vulnerabilities. As a workaround, sanitize the return value of `#call`.	2.83.0 Affected by 0 other vulnerabilities. 3.9.0 Affected by 0 other vulnerabilities.
VCID-ga2g-htdr-7ken Aliases: CVE-2022-24722 GHSA-cm9w-c4rj-r2cf	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') VIewComponent is a framework for building view components in Ruby on Rails. Versions prior to 2.31.2 and 2.49.1 contain a cross-site scripting vulnerability that has the potential to impact anyone using translations with the view_component gem. Data received via user input and passed as an interpolation argument to the `translate` method is not properly sanitized before display. Versions 2.31.2 and 2.49.1 have been released and fully mitigate the vulnerability. As a workaround, avoid passing user input to the `translate` function, or sanitize the inputs before passing them.	2.49.1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-fk74-z1fr-1uem
Aliases:
CVE-2024-21636
GHSA-wf2x-8w6j-qw37

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. Versions prior to 3.9.0 have a cross-site scripting vulnerability that has the potential to impact anyone rendering a component directly from a controller with the view_component gem. Note that only components that define a `#call` method (i.e. instead of using a sidecar template) are affected. The return value of the `#call` method is not sanitized and can include user-defined content. In addition, the return value of the `#output_postamble` methodis not sanitized, which can also lead to cross-site scripting issues. Versions 3.9.0 has been released and fully mitigates both the `#call` and the `#output_postamble` vulnerabilities. As a workaround, sanitize the return value of `#call`.

2.83.0
Affected by 0 other vulnerabilities.

3.9.0
Affected by 0 other vulnerabilities.

VCID-ga2g-htdr-7ken
Aliases:
CVE-2022-24722
GHSA-cm9w-c4rj-r2cf

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') VIewComponent is a framework for building view components in Ruby on Rails. Versions prior to 2.31.2 and 2.49.1 contain a cross-site scripting vulnerability that has the potential to impact anyone using translations with the view_component gem. Data received via user input and passed as an interpolation argument to the `translate` method is not properly sanitized before display. Versions 2.31.2 and 2.49.1 have been released and fully mitigate the vulnerability. As a workaround, avoid passing user input to the `translate` function, or sanitize the inputs before passing them.

2.49.1
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-04T18:14:34.374464+00:00	Ruby Importer	Affected by	VCID-fk74-z1fr-1uem	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/view_component/CVE-2024-21636.yml	38.6.0
2026-06-04T18:13:00.996900+00:00	Ruby Importer	Affected by	VCID-ga2g-htdr-7ken	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/view_component/CVE-2022-24722.yml	38.6.0

2026-06-04T18:14:34.374464+00:00

Ruby Importer

Affected by

VCID-fk74-z1fr-1uem

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/view_component/CVE-2024-21636.yml

38.6.0

2026-06-04T18:13:00.996900+00:00

Ruby Importer

Affected by

VCID-ga2g-htdr-7ken

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/view_component/CVE-2022-24722.yml

38.6.0

Next non-vulnerable version	2.83.0
Latest non-vulnerable version	4.9.0
Risk	4.0