Search for packages
| purl | pkg:gem/view_component@2.57.1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-fk74-z1fr-1uem
Aliases: CVE-2024-21636 GHSA-wf2x-8w6j-qw37 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. Versions prior to 3.9.0 have a cross-site scripting vulnerability that has the potential to impact anyone rendering a component directly from a controller with the view_component gem. Note that only components that define a `#call` method (i.e. instead of using a sidecar template) are affected. The return value of the `#call` method is not sanitized and can include user-defined content. In addition, the return value of the `#output_postamble` methodis not sanitized, which can also lead to cross-site scripting issues. Versions 3.9.0 has been released and fully mitigates both the `#call` and the `#output_postamble` vulnerabilities. As a workaround, sanitize the return value of `#call`. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-06-04T18:14:34.406070+00:00 | Ruby Importer | Affected by | VCID-fk74-z1fr-1uem | https://github.com/rubysec/ruby-advisory-db/blob/master/gems/view_component/CVE-2024-21636.yml | 38.6.0 |