{"url":"http://public2.vulnerablecode.io/api/packages/938364?format=json","purl":"pkg:deb/debian/ruby-rails-html-sanitizer@1.4.4-1?distro=trixie","type":"deb","namespace":"debian","name":"ruby-rails-html-sanitizer","version":"1.4.4-1","qualifiers":{"distro":"trixie"},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":"1.6.2-1","latest_non_vulnerable_version":"1.7.0-1","affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/7292?format=json","vulnerability_id":"VCID-2ece-9xu2-z7ea","summary":"XSS vulnerability - white list bypass\nCarefully crafted strings can cause user input to bypass the sanitization in the white list sanitizer which can lead to an XSS attack.","references":[{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html"},{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html"},{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2015-7580","reference_id":"","reference_type":"","scores":[{"value":"0.00163","scoring_system":"epss","scoring_elements":"0.37289","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00163","scoring_system":"epss","scoring_elements":"0.37306","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00163","scoring_system":"epss","scoring_elements":"0.3726","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00163","scoring_system":"epss","scoring_elements":"0.37288","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00163","scoring_system":"epss","scoring_elements":"0.37321","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00163","scoring_system":"epss","scoring_elements":"0.3731","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00163","scoring_system":"epss","scoring_elements":"0.37298","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00163","scoring_system":"epss","scoring_elements":"0.37247","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00163","scoring_system":"epss","scoring_elements":"0.3723","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00163","scoring_system":"epss","scoring_elements":"0.37395","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00163","scoring_system":"epss","scoring_elements":"0.37419","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00163","scoring_system":"epss","scoring_elements":"0.36777","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00163","scoring_system":"epss","scoring_elements":"0.36895","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00163","scoring_system":"epss","scoring_elements":"0.3698","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00163","scoring_system":"epss","scoring_elements":"0.37012","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00163","scoring_system":"epss","scoring_elements":"0.37236","published_at":"2026-04-21T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2015-7580"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7580","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7580"},{"reference_url":"https://github.com/rails/rails-html-sanitizer","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails-html-sanitizer"},{"reference_url":"https://github.com/rails/rails-html-sanitizer/commit/63903b0eaa6d2a4e1c91bc86008256c4c8335e78","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails-html-sanitizer/commit/63903b0eaa6d2a4e1c91bc86008256c4c8335e78"},{"reference_url":"https://groups.google.com/forum/message/raw?msg=rubyonrails-security/uh--W4TDwmI/m_CVZtdbFQAJ","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/forum/message/raw?msg=rubyonrails-security/uh--W4TDwmI/m_CVZtdbFQAJ"},{"reference_url":"https://groups.google.com/forum/#!topic/rubyonrails-security/uh--W4TDwmI","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3","scoring_elements":""}],"url":"https://groups.google.com/forum/#!topic/rubyonrails-security/uh--W4TDwmI"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2015-7580","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:M/Au:N/C:N/I:P/A:N"},{"value":"6.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2015-7580"},{"reference_url":"https://web.archive.org/web/20160128075017/http://www.securitytracker.com/id/1034816","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20160128075017/http://www.securitytracker.com/id/1034816"},{"reference_url":"http://www.openwall.com/lists/oss-security/2016/01/25/15","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2016/01/25/15"},{"reference_url":"http://www.securitytracker.com/id/1034816","reference_id":"","reference_type":"","scores":[],"url":"http://www.securitytracker.com/id/1034816"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=812814","reference_id":"812814","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=812814"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:html_sanitizer:*:*:*:*:*:ruby:*:*","reference_id":"cpe:2.3:a:rubyonrails:html_sanitizer:*:*:*:*:*:ruby:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:html_sanitizer:*:*:*:*:*:ruby:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.0:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.0:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.0:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.0:beta1:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.0:beta1:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.0:beta1:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.0:beta2:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.0:beta2:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.0:beta2:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.0:beta3:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.0:beta3:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.0:beta3:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.0:beta4:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.0:beta4:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.0:beta4:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.0:rc1:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.0:rc1:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.0:rc1:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.0:rc2:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.0:rc2:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.0:rc2:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.0:rc3:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.0:rc3:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.0:rc3:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.1:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.1:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.1:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.1:rc1:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.1:rc1:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.1:rc1:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.1:rc2:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.1:rc2:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.1:rc2:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.1:rc3:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.1:rc3:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.1:rc3:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.1:rc4:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.1:rc4:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.1:rc4:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.2:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.2:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.2:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.3:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.3:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.3:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.3:rc1:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.3:rc1:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.3:rc1:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.4:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.4:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.4:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.4:rc1:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.4:rc1:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.4:rc1:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.5:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.5:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.5:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.5.1:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.5.1:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.5.1:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.5.2:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.5.2:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.5.2:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.5:rc1:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.5:rc1:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.5:rc1:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.5:rc2:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.5:rc2:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.5:rc2:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.6:rc1:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.6:rc1:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.6:rc1:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:5.0.0:beta1:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:5.0.0:beta1:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:5.0.0:beta1:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:5.0.0:beta1.1:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:5.0.0:beta1.1:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:5.0.0:beta1.1:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:5.0.0:beta2:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:5.0.0:beta2:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:5.0.0:beta2:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:5.0.0:beta3:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:5.0.0:beta3:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:5.0.0:beta3:*:*:*:*:*:*"},{"reference_url":"https://github.com/advisories/GHSA-ghqm-pgxj-37gq","reference_id":"GHSA-ghqm-pgxj-37gq","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-ghqm-pgxj-37gq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/938365?format=json","purl":"pkg:deb/debian/ruby-rails-html-sanitizer@1.0.3-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rails-html-sanitizer@1.0.3-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/938366?format=json","purl":"pkg:deb/debian/ruby-rails-html-sanitizer@1.3.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rails-html-sanitizer@1.3.0-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/938364?format=json","purl":"pkg:deb/debian/ruby-rails-html-sanitizer@1.4.4-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rails-html-sanitizer@1.4.4-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/938368?format=json","purl":"pkg:deb/debian/ruby-rails-html-sanitizer@1.6.2-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rails-html-sanitizer@1.6.2-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/938367?format=json","purl":"pkg:deb/debian/ruby-rails-html-sanitizer@1.7.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rails-html-sanitizer@1.7.0-1%3Fdistro=trixie"}],"aliases":["CVE-2015-7580","GHSA-ghqm-pgxj-37gq"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2ece-9xu2-z7ea"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/52803?format=json","vulnerability_id":"VCID-63em-3vdj-j3cu","summary":"Inefficient Regular Expression Complexity in rails-html-sanitizer\n## Summary\n\nCertain configurations of rails-html-sanitizer `< 1.4.4` use an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption.\n\n\n## Mitigation\n\nUpgrade to rails-html-sanitizer `>= 1.4.4`.\n\n\n## Severity\n\nThe maintainers have evaluated this as [High Severity 7.5 (CVSS3.1)](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).\n\n\n## References\n\n- [CWE - CWE-1333: Inefficient Regular Expression Complexity (4.9)](https://cwe.mitre.org/data/definitions/1333.html)\n- https://hackerone.com/reports/1684163\n\n\n## Credit\n\nThis vulnerability was responsibly reported by @ooooooo-q (https://github.com/ooooooo-q).","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-23517.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-23517.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-23517","reference_id":"","reference_type":"","scores":[{"value":"0.0024","scoring_system":"epss","scoring_elements":"0.47288","published_at":"2026-04-13T12:55:00Z"},{"value":"0.0024","scoring_system":"epss","scoring_elements":"0.47281","published_at":"2026-04-12T12:55:00Z"},{"value":"0.0024","scoring_system":"epss","scoring_elements":"0.47307","published_at":"2026-04-11T12:55:00Z"},{"value":"0.0024","scoring_system":"epss","scoring_elements":"0.47283","published_at":"2026-04-09T12:55:00Z"},{"value":"0.0024","scoring_system":"epss","scoring_elements":"0.47287","published_at":"2026-04-08T12:55:00Z"},{"value":"0.0024","scoring_system":"epss","scoring_elements":"0.47232","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00241","scoring_system":"epss","scoring_elements":"0.47195","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00247","scoring_system":"epss","scoring_elements":"0.4795","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00247","scoring_system":"epss","scoring_elements":"0.47928","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00256","scoring_system":"epss","scoring_elements":"0.49004","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00256","scoring_system":"epss","scoring_elements":"0.49008","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00256","scoring_system":"epss","scoring_elements":"0.48916","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00256","scoring_system":"epss","scoring_elements":"0.48962","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00256","scoring_system":"epss","scoring_elements":"0.48953","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00256","scoring_system":"epss","scoring_elements":"0.48966","published_at":"2026-04-21T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-23517"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23517","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23517"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/rails/rails-html-sanitizer","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails-html-sanitizer"},{"reference_url":"https://github.com/rails/rails-html-sanitizer/commit/56c61c0cebd1e493e8ad7bca2a0191609a4a6979","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-02T17:07:58Z/"}],"url":"https://github.com/rails/rails-html-sanitizer/commit/56c61c0cebd1e493e8ad7bca2a0191609a4a6979"},{"reference_url":"https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-5x79-w82f-gw8w","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":""},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-02T17:07:58Z/"}],"url":"https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-5x79-w82f-gw8w"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2022-23517.yml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2022-23517.yml"},{"reference_url":"https://hackerone.com/reports/1684163","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-02T17:07:58Z/"}],"url":"https://hackerone.com/reports/1684163"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2023/09/msg00012.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-02T17:07:58Z/"}],"url":"https://lists.debian.org/debian-lts-announce/2023/09/msg00012.html"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2024/09/msg00045.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2024/09/msg00045.html"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-23517","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-23517"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1027153","reference_id":"1027153","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1027153"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2153720","reference_id":"2153720","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2153720"},{"reference_url":"https://github.com/advisories/GHSA-5x79-w82f-gw8w","reference_id":"GHSA-5x79-w82f-gw8w","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-5x79-w82f-gw8w"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:2097","reference_id":"RHSA-2023:2097","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:2097"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/938366?format=json","purl":"pkg:deb/debian/ruby-rails-html-sanitizer@1.3.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rails-html-sanitizer@1.3.0-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/938370?format=json","purl":"pkg:deb/debian/ruby-rails-html-sanitizer@1.3.0-1%2Bdeb11u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rails-html-sanitizer@1.3.0-1%252Bdeb11u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/938364?format=json","purl":"pkg:deb/debian/ruby-rails-html-sanitizer@1.4.4-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rails-html-sanitizer@1.4.4-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/938368?format=json","purl":"pkg:deb/debian/ruby-rails-html-sanitizer@1.6.2-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rails-html-sanitizer@1.6.2-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/938367?format=json","purl":"pkg:deb/debian/ruby-rails-html-sanitizer@1.7.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rails-html-sanitizer@1.7.0-1%3Fdistro=trixie"}],"aliases":["CVE-2022-23517","GHSA-5x79-w82f-gw8w","GMS-2022-8298"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-63em-3vdj-j3cu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/52579?format=json","vulnerability_id":"VCID-782b-usu3-bbhd","summary":"Possible XSS vulnerability with certain configurations of rails-html-sanitizer\n## Summary\n\nThere is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.\n\n- Versions affected: ALL\n- Not affected: NONE\n- Fixed versions: 1.4.4\n\n\n## Impact\n\nA possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer may allow an attacker to inject content if the application developer has overridden the sanitizer's allowed tags in either of the following ways:\n\n- allow both \"math\" and \"style\" elements,\n- or allow both \"svg\" and \"style\" elements\n\nCode is only impacted if allowed tags are being overridden. Applications may be doing this in four different ways:\n\n1. using application configuration:\n\n  ```ruby\n  # In config/application.rb\n  config.action_view.sanitized_allowed_tags = [\"math\", \"style\"]\n  # or\n  config.action_view.sanitized_allowed_tags = [\"svg\", \"style\"]\n  ```\n\n  see https://guides.rubyonrails.org/configuring.html#configuring-action-view\n\n2. using a `:tags` option to the Action View helper `sanitize`:\n\n  ```\n  <%= sanitize @comment.body, tags: [\"math\", \"style\"] %>\n  <%# or %>\n  <%= sanitize @comment.body, tags: [\"svg\", \"style\"] %>\n  ```\n\n  see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize\n\n3. using Rails::Html::SafeListSanitizer class method `allowed_tags=`:\n\n  ```ruby\n  # class-level option\n  Rails::Html::SafeListSanitizer.allowed_tags = [\"math\", \"style\"]\n  # or\n  Rails::Html::SafeListSanitizer.allowed_tags = [\"svg\", \"style\"]\n  ```\n\n4. using a `:tags` options to the Rails::Html::SafeListSanitizer instance method `sanitize`:\n\n  ```ruby\n  # instance-level option\n  Rails::Html::SafeListSanitizer.new.sanitize(@article.body, tags: [\"math\", \"style\"])\n  # or\n  Rails::Html::SafeListSanitizer.new.sanitize(@article.body, tags: [\"svg\", \"style\"])\n  ```\n\nAll users overriding the allowed tags by any of the above mechanisms to include ((\"math\" or \"svg\") and \"style\") should either upgrade or use one of the workarounds immediately.\n\n\n## Workarounds\n\nRemove \"style\" from the overridden allowed tags, or remove \"math\" and \"svg\" from the overridden allowed tags.\n\n\n## References\n\n- [CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)](https://cwe.mitre.org/data/definitions/79.html)\n- https://hackerone.com/reports/1656627\n\n\n## Credit\n\nThis vulnerability was responsibly reported by Dominic Breuker.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-23519.json","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-23519.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-23519","reference_id":"","reference_type":"","scores":[{"value":"0.00139","scoring_system":"epss","scoring_elements":"0.34031","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00139","scoring_system":"epss","scoring_elements":"0.33474","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00139","scoring_system":"epss","scoring_elements":"0.34073","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00139","scoring_system":"epss","scoring_elements":"0.34104","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00139","scoring_system":"epss","scoring_elements":"0.34102","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00139","scoring_system":"epss","scoring_elements":"0.34036","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00139","scoring_system":"epss","scoring_elements":"0.34059","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00143","scoring_system":"epss","scoring_elements":"0.3468","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00143","scoring_system":"epss","scoring_elements":"0.34706","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00148","scoring_system":"epss","scoring_elements":"0.35344","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00148","scoring_system":"epss","scoring_elements":"0.35281","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00148","scoring_system":"epss","scoring_elements":"0.35047","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00148","scoring_system":"epss","scoring_elements":"0.35026","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00148","scoring_system":"epss","scoring_elements":"0.34935","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00148","scoring_system":"epss","scoring_elements":"0.35333","published_at":"2026-04-18T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-23519"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23519","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23519"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/rails/rails-html-sanitizer","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails-html-sanitizer"},{"reference_url":"https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-9h9g-93gc-623h","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3","scoring_elements":""},{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-9h9g-93gc-623h"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2022-23519.yml","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2022-23519.yml"},{"reference_url":"https://hackerone.com/reports/1656627","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://hackerone.com/reports/1656627"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2023/09/msg00012.html","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2023/09/msg00012.html"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2024/09/msg00045.html","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2024/09/msg00045.html"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-23519","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-23519"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1027153","reference_id":"1027153","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1027153"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2153744","reference_id":"2153744","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2153744"},{"reference_url":"https://github.com/advisories/GHSA-9h9g-93gc-623h","reference_id":"GHSA-9h9g-93gc-623h","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9h9g-93gc-623h"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:2097","reference_id":"RHSA-2023:2097","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:2097"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/938366?format=json","purl":"pkg:deb/debian/ruby-rails-html-sanitizer@1.3.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rails-html-sanitizer@1.3.0-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/938370?format=json","purl":"pkg:deb/debian/ruby-rails-html-sanitizer@1.3.0-1%2Bdeb11u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rails-html-sanitizer@1.3.0-1%252Bdeb11u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/938364?format=json","purl":"pkg:deb/debian/ruby-rails-html-sanitizer@1.4.4-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rails-html-sanitizer@1.4.4-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/938368?format=json","purl":"pkg:deb/debian/ruby-rails-html-sanitizer@1.6.2-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rails-html-sanitizer@1.6.2-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/938367?format=json","purl":"pkg:deb/debian/ruby-rails-html-sanitizer@1.7.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rails-html-sanitizer@1.7.0-1%3Fdistro=trixie"}],"aliases":["CVE-2022-23519","GHSA-9h9g-93gc-623h","GMS-2022-8299"],"risk_score":3.2,"exploitability":"0.5","weighted_severity":"6.5","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-782b-usu3-bbhd"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/14968?format=json","vulnerability_id":"VCID-apxn-up79-x3ge","summary":"rails-html-sanitizer has XSS vulnerability with certain configurations\n## Summary\n\nThere is a possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer 1.6.0 when used with Rails >= 7.1.0.\n\n* Versions affected: 1.6.0\n* Not affected: < 1.6.0\n* Fixed versions: 1.6.1\n\n## Impact\n\nA possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer may allow an attacker to inject content if HTML5 sanitization is enabled and the application developer has overridden the sanitizer's allowed tags in the following way:\n\n- the \"noscript\" element is explicitly allowed\n\nCode is only impacted if Rails is configured to use HTML5 sanitization, please see documentation for [`config.action_view.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-view-sanitizer-vendor) and [`config.action_text.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-text-sanitizer-vendor) for more information on these configuration options.\n\nThe default configuration is to disallow all of these elements. Code is only impacted if allowed tags are being overridden. Applications may be doing this in a few different ways:\n\n1. using application configuration to configure Action View sanitizers' allowed tags:\n\n  ```ruby\n  # In config/application.rb\n  config.action_view.sanitized_allowed_tags = [\"noscript\"]\n  ```\n\n  see https://guides.rubyonrails.org/configuring.html#configuring-action-view\n\n2. using a `:tags` option to the Action View helper `sanitize`:\n\n  ```\n  <%= sanitize @comment.body, tags: [\"noscript\"] %>\n  ```\n\n  see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize\n\n3. setting Rails::HTML5::SafeListSanitizer class attribute `allowed_tags`:\n\n  ```ruby\n  # class-level option\n  Rails::HTML5::SafeListSanitizer.allowed_tags = [\"noscript\"]\n  ```\n\n  (note that this class may also be referenced as `Rails::Html::SafeListSanitizer`)\n\n4. using a `:tags` options to the Rails::HTML5::SafeListSanitizer instance method `sanitize`:\n\n  ```ruby\n  # instance-level option\n  Rails::HTML5::SafeListSanitizer.new.sanitize(@article.body, tags: [\"noscript\"])\n  ```\n\n  (note that this class may also be referenced as `Rails::Html::SafeListSanitizer`)\n\n5. setting ActionText::ContentHelper module attribute `allowed_tags`:\n\n  ```ruby\n  ActionText::ContentHelper.allowed_tags = [\"noscript\"]\n  ```\n\nAll users overriding the allowed tags by any of the above mechanisms to include \"noscript\" should either upgrade or use one of the workarounds.\n\n\n## Workarounds\n\nAny one of the following actions will work around this issue:\n\n- Remove \"noscript\" from the overridden allowed tags,\n- Or, downgrade sanitization to HTML4 (see documentation for [`config.action_view.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-view-sanitizer-vendor) and [`config.action_text.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-text-sanitizer-vendor) for more information).\n\n\n## References\n\n- [CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)](https://cwe.mitre.org/data/definitions/79.html)\n- Original report: https://hackerone.com/reports/2509647\n\n## Credit\n\nThis vulnerability was responsibly reported by So Sakaguchi ([mokusou](https://hackerone.com/mokusou)) and [taise](https://hackerone.com/taise).","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-53989.json","reference_id":"","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-53989.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-53989","reference_id":"","reference_type":"","scores":[{"value":"0.01691","scoring_system":"epss","scoring_elements":"0.82269","published_at":"2026-04-21T12:55:00Z"},{"value":"0.01691","scoring_system":"epss","scoring_elements":"0.82267","published_at":"2026-04-18T12:55:00Z"},{"value":"0.01691","scoring_system":"epss","scoring_elements":"0.8223","published_at":"2026-04-13T12:55:00Z"},{"value":"0.01691","scoring_system":"epss","scoring_elements":"0.82236","published_at":"2026-04-12T12:55:00Z"},{"value":"0.01691","scoring_system":"epss","scoring_elements":"0.82174","published_at":"2026-04-02T12:55:00Z"},{"value":"0.01691","scoring_system":"epss","scoring_elements":"0.82224","published_at":"2026-04-09T12:55:00Z"},{"value":"0.01691","scoring_system":"epss","scoring_elements":"0.82217","published_at":"2026-04-08T12:55:00Z"},{"value":"0.01691","scoring_system":"epss","scoring_elements":"0.82191","published_at":"2026-04-07T12:55:00Z"},{"value":"0.01691","scoring_system":"epss","scoring_elements":"0.82195","published_at":"2026-04-04T12:55:00Z"},{"value":"0.01691","scoring_system":"epss","scoring_elements":"0.82244","published_at":"2026-04-11T12:55:00Z"},{"value":"0.0228","scoring_system":"epss","scoring_elements":"0.84751","published_at":"2026-05-05T12:55:00Z"},{"value":"0.0228","scoring_system":"epss","scoring_elements":"0.84725","published_at":"2026-04-24T12:55:00Z"},{"value":"0.0228","scoring_system":"epss","scoring_elements":"0.84734","published_at":"2026-04-26T12:55:00Z"},{"value":"0.0228","scoring_system":"epss","scoring_elements":"0.84736","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-53989"},{"reference_url":"https://github.com/rails/rails-html-sanitizer","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails-html-sanitizer"},{"reference_url":"https://github.com/rails/rails-html-sanitizer/commit/16251735e36ebdc302e2f90f2a39cad56879414f","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-03T14:35:22Z/"}],"url":"https://github.com/rails/rails-html-sanitizer/commit/16251735e36ebdc302e2f90f2a39cad56879414f"},{"reference_url":"https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-rxv5-gxqc-xx8g","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-03T14:35:22Z/"}],"url":"https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-rxv5-gxqc-xx8g"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2024-53989.yml","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2024-53989.yml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-53989","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-53989"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2330055","reference_id":"2330055","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2330055"},{"reference_url":"https://github.com/advisories/GHSA-rxv5-gxqc-xx8g","reference_id":"GHSA-rxv5-gxqc-xx8g","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rxv5-gxqc-xx8g"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/938372?format=json","purl":"pkg:deb/debian/ruby-rails-html-sanitizer@0?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rails-html-sanitizer@0%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/938366?format=json","purl":"pkg:deb/debian/ruby-rails-html-sanitizer@1.3.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rails-html-sanitizer@1.3.0-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/938364?format=json","purl":"pkg:deb/debian/ruby-rails-html-sanitizer@1.4.4-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rails-html-sanitizer@1.4.4-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/938368?format=json","purl":"pkg:deb/debian/ruby-rails-html-sanitizer@1.6.2-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rails-html-sanitizer@1.6.2-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/938367?format=json","purl":"pkg:deb/debian/ruby-rails-html-sanitizer@1.7.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rails-html-sanitizer@1.7.0-1%3Fdistro=trixie"}],"aliases":["CVE-2024-53989","GHSA-rxv5-gxqc-xx8g"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-apxn-up79-x3ge"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/14955?format=json","vulnerability_id":"VCID-cphr-tdzs-x7ar","summary":"rails-html-sanitize has XSS vulnerability with certain configurations\n## Summary\n\nThere is a possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer 1.6.0 when used with Rails >= 7.1.0 and Nokogiri < 1.15.7, or 1.16.x < 1.16.8.\n\n* Versions affected: 1.6.0\n* Not affected: < 1.6.0\n* Fixed versions: 1.6.1\n\nPlease note that the fix in v1.6.1 is to update the dependency on Nokogiri to 1.15.7 or >= 1.16.8.\n\n\n## Impact\n\nA possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer may allow an attacker to inject content if HTML5 sanitization is enabled and the application developer has overridden the sanitizer's allowed tags in either of the following ways:\n\n* allow both \"math\" and \"style\" elements\n* or allow both \"svg\" and \"style\" elements\n\nCode is only impacted if Rails is configured to use HTML5 sanitization, please see documentation for [`config.action_view.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-view-sanitizer-vendor) and [`config.action_text.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-text-sanitizer-vendor) for more information on these configuration options.\n\nCode is only impacted if allowed tags are being overridden. Applications may be doing this in a few different ways:\n\n1. using application configuration to configure Action View sanitizers' allowed tags:\n\n  ```ruby\n  # In config/application.rb\n  config.action_view.sanitized_allowed_tags = [\"math\", \"style\"]\n  # or\n  config.action_view.sanitized_allowed_tags = [\"svg\", \"style\"]\n  ```\n\n  see https://guides.rubyonrails.org/configuring.html#configuring-action-view\n\n2. using a `:tags` option to the Action View helper `sanitize`:\n\n  ```\n  <%= sanitize @comment.body, tags: [\"math\", \"style\"] %>\n  <%# or %>\n  <%= sanitize @comment.body, tags: [\"svg\", \"style\"] %>\n  ```\n\n  see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize\n\n3. setting Rails::HTML5::SafeListSanitizer class attribute `allowed_tags`:\n\n  ```ruby\n  # class-level option\n  Rails::HTML5::SafeListSanitizer.allowed_tags = [\"math\", \"style\"]\n  # or\n  Rails::HTML5::SafeListSanitizer.allowed_tags = [\"svg\", \"style\"]\n  ```\n\n  (note that this class may also be referenced as `Rails::Html::SafeListSanitizer`)\n\n4. using a `:tags` options to the Rails::HTML5::SafeListSanitizer instance method `sanitize`:\n\n  ```ruby\n  # instance-level option\n  Rails::HTML5::SafeListSanitizer.new.sanitize(@article.body, tags: [\"math\", \"style\"])\n  # or\n  Rails::HTML5::SafeListSanitizer.new.sanitize(@article.body, tags: [\"svg\", \"style\"])\n  ```\n\n  (note that this class may also be referenced as `Rails::Html::SafeListSanitizer`)\n\n5. setting ActionText::ContentHelper module attribute `allowed_tags`:\n\n  ```ruby\n  ActionText::ContentHelper.allowed_tags = [\"math\", \"style\"]\n  # or\n  ActionText::ContentHelper.allowed_tags = [\"svg\", \"style\"]\n  ```\n\nAll users overriding the allowed tags by any of the above mechanisms to include ((\"math\" or \"svg\") and \"style\") should either upgrade or use one of the workarounds.\n\n\n## Workarounds\n\nAny one of the following actions will work around this issue:\n\n- Remove \"style\" from the overridden allowed tags,\n- Or, remove \"math\" and \"svg\" from the overridden allowed tags,\n- Or, downgrade sanitization to HTML4 (see documentation for [`config.action_view.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-view-sanitizer-vendor) and [`config.action_text.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-text-sanitizer-vendor) for more information)\n- Or, independently upgrade Nokogiri to v1.15.7 or >= 1.16.8.\n\n\n## References\n\n- [CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)](https://cwe.mitre.org/data/definitions/79.html)\n- Original report: https://hackerone.com/reports/2503220\n\n\n## Credit\n\nThis vulnerability was responsibly reported by So Sakaguchi ([mokusou](https://hackerone.com/mokusou)) and [taise](https://hackerone.com/taise).","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-53985.json","reference_id":"","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-53985.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-53985","reference_id":"","reference_type":"","scores":[{"value":"0.01627","scoring_system":"epss","scoring_elements":"0.81908","published_at":"2026-04-21T12:55:00Z"},{"value":"0.01627","scoring_system":"epss","scoring_elements":"0.81905","published_at":"2026-04-18T12:55:00Z"},{"value":"0.01627","scoring_system":"epss","scoring_elements":"0.81869","published_at":"2026-04-13T12:55:00Z"},{"value":"0.01627","scoring_system":"epss","scoring_elements":"0.81874","published_at":"2026-04-12T12:55:00Z"},{"value":"0.01627","scoring_system":"epss","scoring_elements":"0.81886","published_at":"2026-04-11T12:55:00Z"},{"value":"0.01627","scoring_system":"epss","scoring_elements":"0.81867","published_at":"2026-04-09T12:55:00Z"},{"value":"0.01627","scoring_system":"epss","scoring_elements":"0.8186","published_at":"2026-04-08T12:55:00Z"},{"value":"0.01627","scoring_system":"epss","scoring_elements":"0.81834","published_at":"2026-04-07T12:55:00Z"},{"value":"0.01627","scoring_system":"epss","scoring_elements":"0.81837","published_at":"2026-04-04T12:55:00Z"},{"value":"0.01627","scoring_system":"epss","scoring_elements":"0.81813","published_at":"2026-04-02T12:55:00Z"},{"value":"0.02195","scoring_system":"epss","scoring_elements":"0.84484","published_at":"2026-05-05T12:55:00Z"},{"value":"0.02195","scoring_system":"epss","scoring_elements":"0.84453","published_at":"2026-04-24T12:55:00Z"},{"value":"0.02195","scoring_system":"epss","scoring_elements":"0.84461","published_at":"2026-04-26T12:55:00Z"},{"value":"0.02195","scoring_system":"epss","scoring_elements":"0.84465","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-53985"},{"reference_url":"https://github.com/rails/rails-html-sanitizer","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails-html-sanitizer"},{"reference_url":"https://github.com/rails/rails-html-sanitizer/commit/b0220b8850d52199a15f83c472d175a4122dd7b1","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-11T16:47:47Z/"}],"url":"https://github.com/rails/rails-html-sanitizer/commit/b0220b8850d52199a15f83c472d175a4122dd7b1"},{"reference_url":"https://github.com/rails/rails-html-sanitizer/commit/cd18b0ef00aad1d4a9e1c5d860cd23f80f63c505","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-11T16:47:47Z/"}],"url":"https://github.com/rails/rails-html-sanitizer/commit/cd18b0ef00aad1d4a9e1c5d860cd23f80f63c505"},{"reference_url":"https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-w8gc-x259-rc7x","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-11T16:47:47Z/"}],"url":"https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-w8gc-x259-rc7x"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2024-53985.yml","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2024-53985.yml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-53985","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-53985"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2330061","reference_id":"2330061","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2330061"},{"reference_url":"https://github.com/advisories/GHSA-w8gc-x259-rc7x","reference_id":"GHSA-w8gc-x259-rc7x","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-w8gc-x259-rc7x"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/938372?format=json","purl":"pkg:deb/debian/ruby-rails-html-sanitizer@0?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rails-html-sanitizer@0%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/938366?format=json","purl":"pkg:deb/debian/ruby-rails-html-sanitizer@1.3.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rails-html-sanitizer@1.3.0-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/938364?format=json","purl":"pkg:deb/debian/ruby-rails-html-sanitizer@1.4.4-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rails-html-sanitizer@1.4.4-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/938368?format=json","purl":"pkg:deb/debian/ruby-rails-html-sanitizer@1.6.2-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rails-html-sanitizer@1.6.2-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/938367?format=json","purl":"pkg:deb/debian/ruby-rails-html-sanitizer@1.7.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rails-html-sanitizer@1.7.0-1%3Fdistro=trixie"}],"aliases":["CVE-2024-53985","GHSA-w8gc-x259-rc7x"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cphr-tdzs-x7ar"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54125?format=json","vulnerability_id":"VCID-ete9-xwuw-puf8","summary":"Rails::Html::Sanitizer vulnerable to Cross-site Scripting\nVersions of Rails::Html::Sanitizer prior to version 1.4.3 are vulnerable to XSS with certain configurations of Rails::Html::Sanitizer which  allows an attacker to inject content when the application developer has overridden the sanitizer's allowed tags to allow both `select` and `style` elements. Code is only impacted if allowed tags are being overridden. \n\nThis may be done via application configuration: ```ruby# In config/application.rbconfig.action_view.sanitized_allowed_tags = [\"select\", \"style\"]```\n\nsee https://guides.rubyonrails.org/configuring.html#configuring-action-view\n\nOr it may be done with a `:tags` option to the Action View helper `sanitize`: ```<%= sanitize @comment.body, tags: [\"select\", \"style\"] %>``` \n\nsee https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize \n\nIt may also be done with Rails::Html::SafeListSanitizer directly: \n```ruby# class-level optionRails::Html::SafeListSanitizer.allowed_tags = [\"select\", \"style\"]```  or with\n```ruby# instance-level optionRails::Html::SafeListSanitizer.new.sanitize(@article.body, tags: [\"select\", \"style\"])```\n\nAll users overriding the allowed tags by any of the above mechanisms to include both \"select\" and \"style\" are recommended to upgrade immediately. A workaround for this issue can be applied by removing either `select` or `style` from the overridden allowed tags.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-32209.json","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-32209.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-32209","reference_id":"","reference_type":"","scores":[{"value":"0.04566","scoring_system":"epss","scoring_elements":"0.89247","published_at":"2026-05-05T12:55:00Z"},{"value":"0.04566","scoring_system":"epss","scoring_elements":"0.89239","published_at":"2026-04-29T12:55:00Z"},{"value":"0.04566","scoring_system":"epss","scoring_elements":"0.89236","published_at":"2026-04-26T12:55:00Z"},{"value":"0.04566","scoring_system":"epss","scoring_elements":"0.8923","published_at":"2026-04-24T12:55:00Z"},{"value":"0.04566","scoring_system":"epss","scoring_elements":"0.89196","published_at":"2026-04-08T12:55:00Z"},{"value":"0.04566","scoring_system":"epss","scoring_elements":"0.89211","published_at":"2026-04-11T12:55:00Z"},{"value":"0.04566","scoring_system":"epss","scoring_elements":"0.892","published_at":"2026-04-09T12:55:00Z"},{"value":"0.04566","scoring_system":"epss","scoring_elements":"0.89178","published_at":"2026-04-07T12:55:00Z"},{"value":"0.04566","scoring_system":"epss","scoring_elements":"0.89213","published_at":"2026-04-21T12:55:00Z"},{"value":"0.04566","scoring_system":"epss","scoring_elements":"0.89217","published_at":"2026-04-18T12:55:00Z"},{"value":"0.04566","scoring_system":"epss","scoring_elements":"0.89204","published_at":"2026-04-13T12:55:00Z"},{"value":"0.04566","scoring_system":"epss","scoring_elements":"0.89207","published_at":"2026-04-12T12:55:00Z"},{"value":"0.04686","scoring_system":"epss","scoring_elements":"0.89307","published_at":"2026-04-02T12:55:00Z"},{"value":"0.04686","scoring_system":"epss","scoring_elements":"0.89321","published_at":"2026-04-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-32209"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32209","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32209"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/rails/rails-html-sanitizer","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails-html-sanitizer"},{"reference_url":"https://github.com/rails/rails-html-sanitizer/commit/45a5c10fed3d9aa141594c80afa06d748fa0967d","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails-html-sanitizer/commit/45a5c10fed3d9aa141594c80afa06d748fa0967d"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2022-32209.yml","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2022-32209.yml"},{"reference_url":"https://groups.google.com/g/rubyonrails-security/c/ce9PhUANQ6s","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3","scoring_elements":""},{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/g/rubyonrails-security/c/ce9PhUANQ6s"},{"reference_url":"https://hackerone.com/reports/1530898","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://hackerone.com/reports/1530898"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2022/12/msg00012.html","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2022/12/msg00012.html"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2024/09/msg00045.html","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2024/09/msg00045.html"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AGRLWBEB3S5AU3D4TTROIS7O6QPHDTRH","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AGRLWBEB3S5AU3D4TTROIS7O6QPHDTRH"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NHDACMCLWE32BZZTSNWQPIFUAD5I6Q47","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NHDACMCLWE32BZZTSNWQPIFUAD5I6Q47"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AGRLWBEB3S5AU3D4TTROIS7O6QPHDTRH","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AGRLWBEB3S5AU3D4TTROIS7O6QPHDTRH"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NHDACMCLWE32BZZTSNWQPIFUAD5I6Q47","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NHDACMCLWE32BZZTSNWQPIFUAD5I6Q47"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-32209","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-32209"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1013806","reference_id":"1013806","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1013806"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2101882","reference_id":"2101882","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2101882"},{"reference_url":"https://github.com/advisories/GHSA-pg8v-g4xq-hww9","reference_id":"GHSA-pg8v-g4xq-hww9","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-pg8v-g4xq-hww9"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:8506","reference_id":"RHSA-2022:8506","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:8506"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/938366?format=json","purl":"pkg:deb/debian/ruby-rails-html-sanitizer@1.3.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rails-html-sanitizer@1.3.0-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/938370?format=json","purl":"pkg:deb/debian/ruby-rails-html-sanitizer@1.3.0-1%2Bdeb11u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rails-html-sanitizer@1.3.0-1%252Bdeb11u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/938371?format=json","purl":"pkg:deb/debian/ruby-rails-html-sanitizer@1.4.3-0.1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rails-html-sanitizer@1.4.3-0.1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/938364?format=json","purl":"pkg:deb/debian/ruby-rails-html-sanitizer@1.4.4-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rails-html-sanitizer@1.4.4-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/938368?format=json","purl":"pkg:deb/debian/ruby-rails-html-sanitizer@1.6.2-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rails-html-sanitizer@1.6.2-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/938367?format=json","purl":"pkg:deb/debian/ruby-rails-html-sanitizer@1.7.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rails-html-sanitizer@1.7.0-1%3Fdistro=trixie"}],"aliases":["CVE-2022-32209","GHSA-pg8v-g4xq-hww9"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ete9-xwuw-puf8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/7293?format=json","vulnerability_id":"VCID-nc6s-6usd-gkeb","summary":"Possible XSS vulnerability\nCertain attributes are not removed from tags when they are sanitized, and these attributes can lead to an XSS attack on target applications.","references":[{"reference_url":"http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178046.html","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178046.html"},{"reference_url":"http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178064.html","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178064.html"},{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html"},{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html"},{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2015-7578","reference_id":"","reference_type":"","scores":[{"value":"0.00166","scoring_system":"epss","scoring_elements":"0.37774","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00166","scoring_system":"epss","scoring_elements":"0.37195","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00166","scoring_system":"epss","scoring_elements":"0.37312","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00166","scoring_system":"epss","scoring_elements":"0.37402","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00166","scoring_system":"epss","scoring_elements":"0.37424","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00166","scoring_system":"epss","scoring_elements":"0.37661","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00166","scoring_system":"epss","scoring_elements":"0.37722","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00166","scoring_system":"epss","scoring_elements":"0.37741","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00166","scoring_system":"epss","scoring_elements":"0.37693","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00166","scoring_system":"epss","scoring_elements":"0.37679","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00166","scoring_system":"epss","scoring_elements":"0.378","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00166","scoring_system":"epss","scoring_elements":"0.3772","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00166","scoring_system":"epss","scoring_elements":"0.37755","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00166","scoring_system":"epss","scoring_elements":"0.37742","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00166","scoring_system":"epss","scoring_elements":"0.37592","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00166","scoring_system":"epss","scoring_elements":"0.37729","published_at":"2026-04-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2015-7578"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7578","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7578"},{"reference_url":"https://github.com/rails/rails-html-sanitizer","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails-html-sanitizer"},{"reference_url":"https://github.com/rails/rails-html-sanitizer/commit/297161e29a3e11186ce4c02bf7defc088bf544d4","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails-html-sanitizer/commit/297161e29a3e11186ce4c02bf7defc088bf544d4"},{"reference_url":"https://groups.google.com/forum/message/raw?msg=ruby-security-ann/uh--W4TDwmI/ygHE7hlZEgAJ","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/forum/message/raw?msg=ruby-security-ann/uh--W4TDwmI/ygHE7hlZEgAJ"},{"reference_url":"https://groups.google.com/forum/#!topic/rubyonrails-security/uh--W4TDwmI","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3","scoring_elements":""}],"url":"https://groups.google.com/forum/#!topic/rubyonrails-security/uh--W4TDwmI"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2015-7578","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:M/Au:N/C:N/I:P/A:N"},{"value":"6.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2015-7578"},{"reference_url":"https://web.archive.org/web/20160128075017/http://www.securitytracker.com/id/1034816","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20160128075017/http://www.securitytracker.com/id/1034816"},{"reference_url":"http://www.openwall.com/lists/oss-security/2016/01/25/11","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2016/01/25/11"},{"reference_url":"http://www.securitytracker.com/id/1034816","reference_id":"","reference_type":"","scores":[],"url":"http://www.securitytracker.com/id/1034816"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=812814","reference_id":"812814","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=812814"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:html_sanitizer:*:*:*:*:*:ruby:*:*","reference_id":"cpe:2.3:a:rubyonrails:html_sanitizer:*:*:*:*:*:ruby:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:html_sanitizer:*:*:*:*:*:ruby:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.0:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.0:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.0:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.0:beta1:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.0:beta1:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.0:beta1:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.0:beta2:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.0:beta2:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.0:beta2:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.0:beta3:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.0:beta3:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.0:beta3:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.0:beta4:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.0:beta4:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.0:beta4:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.0:rc1:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.0:rc1:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.0:rc1:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.0:rc2:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.0:rc2:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.0:rc2:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.0:rc3:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.0:rc3:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.0:rc3:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.1:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.1:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.1:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.1:rc1:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.1:rc1:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.1:rc1:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.1:rc2:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.1:rc2:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.1:rc2:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.1:rc3:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.1:rc3:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.1:rc3:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.1:rc4:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.1:rc4:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.1:rc4:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.2:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.2:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.2:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.3:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.3:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.3:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.3:rc1:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.3:rc1:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.3:rc1:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.4:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.4:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.4:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.4:rc1:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.4:rc1:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.4:rc1:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.5:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.5:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.5:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.5.1:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.5.1:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.5.1:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.5.2:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.5.2:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.5.2:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.5:rc1:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.5:rc1:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.5:rc1:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.5:rc2:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.5:rc2:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.5:rc2:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.6:rc1:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.6:rc1:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.6:rc1:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:5.0.0:beta1:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:5.0.0:beta1:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:5.0.0:beta1:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:5.0.0:beta1.1:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:5.0.0:beta1.1:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:5.0.0:beta1.1:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:5.0.0:beta2:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:5.0.0:beta2:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:5.0.0:beta2:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:5.0.0:beta3:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:5.0.0:beta3:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:5.0.0:beta3:*:*:*:*:*:*"},{"reference_url":"https://github.com/advisories/GHSA-59c7-4xj2-hgvw","reference_id":"GHSA-59c7-4xj2-hgvw","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-59c7-4xj2-hgvw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/938365?format=json","purl":"pkg:deb/debian/ruby-rails-html-sanitizer@1.0.3-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rails-html-sanitizer@1.0.3-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/938366?format=json","purl":"pkg:deb/debian/ruby-rails-html-sanitizer@1.3.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rails-html-sanitizer@1.3.0-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/938364?format=json","purl":"pkg:deb/debian/ruby-rails-html-sanitizer@1.4.4-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rails-html-sanitizer@1.4.4-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/938368?format=json","purl":"pkg:deb/debian/ruby-rails-html-sanitizer@1.6.2-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rails-html-sanitizer@1.6.2-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/938367?format=json","purl":"pkg:deb/debian/ruby-rails-html-sanitizer@1.7.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rails-html-sanitizer@1.7.0-1%3Fdistro=trixie"}],"aliases":["CVE-2015-7578","GHSA-59c7-4xj2-hgvw"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nc6s-6usd-gkeb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/14878?format=json","vulnerability_id":"VCID-rhb1-h2b8-jucb","summary":"rails-html-sanitizer has XSS vulnerability with certain configurations\n## Summary\n\nThere is a possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer 1.6.0 when used with Rails >= 7.1.0.\n\n* Versions affected: 1.6.0\n* Not affected: < 1.6.0\n* Fixed versions: 1.6.1\n\n## Impact\n\nA possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer may allow an attacker to inject content if HTML5 sanitization is enabled and the application developer has overridden the sanitizer's allowed tags in the following way:\n\n- the \"style\" element is explicitly allowed\n- the \"svg\" or \"math\" element is not allowed\n\nCode is only impacted if Rails is configured to use HTML5 sanitization, please see documentation for [`config.action_view.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-view-sanitizer-vendor) and [`config.action_text.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-text-sanitizer-vendor) for more information on these configuration options.\n\nThe default configuration is to disallow all of these elements. Code is only impacted if allowed tags are being overridden. Applications may be doing this in a few different ways:\n\n1. using application configuration to configure Action View sanitizers' allowed tags:\n\n  ```ruby\n  # In config/application.rb\n  config.action_view.sanitized_allowed_tags = [\"style\"]\n  ```\n\n  see https://guides.rubyonrails.org/configuring.html#configuring-action-view\n\n2. using a `:tags` option to the Action View helper `sanitize`:\n\n  ```\n  <%= sanitize @comment.body, tags: [\"style\"] %>\n  ```\n\n  see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize\n\n3. setting Rails::HTML5::SafeListSanitizer class attribute `allowed_tags`:\n\n  ```ruby\n  # class-level option\n  Rails::HTML5::SafeListSanitizer.allowed_tags = [\"style\"]\n  ```\n\n  (note that this class may also be referenced as `Rails::Html::SafeListSanitizer`)\n\n4. using a `:tags` options to the Rails::HTML5::SafeListSanitizer instance method `sanitize`:\n\n  ```ruby\n  # instance-level option\n  Rails::HTML5::SafeListSanitizer.new.sanitize(@article.body, tags: [\"style\"])\n  ```\n\n  (note that this class may also be referenced as `Rails::Html::SafeListSanitizer`)\n\n5. setting ActionText::ContentHelper module attribute `allowed_tags`:\n\n  ```ruby\n  ActionText::ContentHelper.allowed_tags = [\"style\"]\n  ```\n\nAll users overriding the allowed tags by any of the above mechanisms to include \"style\" and omit \"svg\" or \"math\" should either upgrade or use one of the workarounds.\n\n\n## Workarounds\n\nAny one of the following actions will work around this issue:\n\n- Remove \"style\" from the overridden allowed tags,\n- Or, downgrade sanitization to HTML4 (see documentation for [`config.action_view.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-view-sanitizer-vendor) and [`config.action_text.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-text-sanitizer-vendor) for more information).\n\n\n## References\n\n- [CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)](https://cwe.mitre.org/data/definitions/79.html)\n- Original report: https://hackerone.com/reports/2519936\n\n## Credit\n\nThis vulnerability was responsibly reported by So Sakaguchi ([mokusou](https://hackerone.com/mokusou)) and [taise](https://hackerone.com/taise).","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-53987.json","reference_id":"","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-53987.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-53987","reference_id":"","reference_type":"","scores":[{"value":"0.01458","scoring_system":"epss","scoring_elements":"0.80823","published_at":"2026-04-08T12:55:00Z"},{"value":"0.01458","scoring_system":"epss","scoring_elements":"0.80826","published_at":"2026-04-13T12:55:00Z"},{"value":"0.01458","scoring_system":"epss","scoring_elements":"0.80834","published_at":"2026-04-12T12:55:00Z"},{"value":"0.01458","scoring_system":"epss","scoring_elements":"0.80779","published_at":"2026-04-02T12:55:00Z"},{"value":"0.01458","scoring_system":"epss","scoring_elements":"0.80799","published_at":"2026-04-04T12:55:00Z"},{"value":"0.01458","scoring_system":"epss","scoring_elements":"0.80848","published_at":"2026-04-11T12:55:00Z"},{"value":"0.01458","scoring_system":"epss","scoring_elements":"0.80796","published_at":"2026-04-07T12:55:00Z"},{"value":"0.01458","scoring_system":"epss","scoring_elements":"0.80832","published_at":"2026-04-09T12:55:00Z"},{"value":"0.01458","scoring_system":"epss","scoring_elements":"0.80867","published_at":"2026-04-21T12:55:00Z"},{"value":"0.01458","scoring_system":"epss","scoring_elements":"0.80866","published_at":"2026-04-18T12:55:00Z"},{"value":"0.01458","scoring_system":"epss","scoring_elements":"0.80863","published_at":"2026-04-16T12:55:00Z"},{"value":"0.01968","scoring_system":"epss","scoring_elements":"0.83593","published_at":"2026-04-26T12:55:00Z"},{"value":"0.01968","scoring_system":"epss","scoring_elements":"0.83597","published_at":"2026-04-29T12:55:00Z"},{"value":"0.01968","scoring_system":"epss","scoring_elements":"0.83585","published_at":"2026-04-24T12:55:00Z"},{"value":"0.01968","scoring_system":"epss","scoring_elements":"0.83622","published_at":"2026-05-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-53987"},{"reference_url":"https://github.com/rails/rails-html-sanitizer","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails-html-sanitizer"},{"reference_url":"https://github.com/rails/rails-html-sanitizer/commit/f02ffbb8465e73920b6de0da940f5530f855965e","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-03T14:33:13Z/"}],"url":"https://github.com/rails/rails-html-sanitizer/commit/f02ffbb8465e73920b6de0da940f5530f855965e"},{"reference_url":"https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-2x5m-9ch4-qgrr","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-03T14:33:13Z/"}],"url":"https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-2x5m-9ch4-qgrr"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2024-53987.yml","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2024-53987.yml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-53987","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-53987"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2330053","reference_id":"2330053","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2330053"},{"reference_url":"https://github.com/advisories/GHSA-2x5m-9ch4-qgrr","reference_id":"GHSA-2x5m-9ch4-qgrr","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2x5m-9ch4-qgrr"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/938372?format=json","purl":"pkg:deb/debian/ruby-rails-html-sanitizer@0?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rails-html-sanitizer@0%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/938366?format=json","purl":"pkg:deb/debian/ruby-rails-html-sanitizer@1.3.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rails-html-sanitizer@1.3.0-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/938364?format=json","purl":"pkg:deb/debian/ruby-rails-html-sanitizer@1.4.4-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rails-html-sanitizer@1.4.4-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/938368?format=json","purl":"pkg:deb/debian/ruby-rails-html-sanitizer@1.6.2-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rails-html-sanitizer@1.6.2-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/938367?format=json","purl":"pkg:deb/debian/ruby-rails-html-sanitizer@1.7.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rails-html-sanitizer@1.7.0-1%3Fdistro=trixie"}],"aliases":["CVE-2024-53987","GHSA-2x5m-9ch4-qgrr"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rhb1-h2b8-jucb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/14761?format=json","vulnerability_id":"VCID-rz3c-6h7r-6bam","summary":"rails-html-sanitizer has XSS vulnerability with certain configurations\n## Summary\n\nThere is a possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer 1.6.0 when used with Rails >= 7.1.0.\n\n* Versions affected: 1.6.0\n* Not affected: < 1.6.0\n* Fixed versions: 1.6.1\n\n## Impact\n\nA possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer may allow an attacker to inject content if HTML5 sanitization is enabled and the application developer has overridden the sanitizer's allowed tags in the following way:\n\n- the \"math\", \"mtext\", \"table\", and \"style\" elements are allowed\n- and either \"mglyph\" or \"malignmark\" are allowed\n\nCode is only impacted if Rails is configured to use HTML5 sanitization, please see documentation for [`config.action_view.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-view-sanitizer-vendor) and [`config.action_text.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-text-sanitizer-vendor) for more information on these configuration options.\n\nThe default configuration is to disallow all of these elements except for \"table\". Code is only impacted if allowed tags are being overridden. Applications may be doing this in a few different ways:\n\n1. using application configuration to configure Action View sanitizers' allowed tags:\n\n  ```ruby\n  # In config/application.rb\n  config.action_view.sanitized_allowed_tags = [\"math\", \"mtext\", \"table\", \"style\", \"mglyph\"]\n  # or\n  config.action_view.sanitized_allowed_tags = [\"math\", \"mtext\", \"table\", \"style\", \"malignmark\"]\n  ```\n\n  see https://guides.rubyonrails.org/configuring.html#configuring-action-view\n\n2. using a `:tags` option to the Action View helper `sanitize`:\n\n  ```\n  <%= sanitize @comment.body, tags: [\"math\", \"mtext\", \"table\", \"style\", \"mglyph\"] %>\n  <%# or %>\n  <%= sanitize @comment.body, tags: [\"math\", \"mtext\", \"table\", \"style\", \"malignmark\"] %>\n  ```\n\n  see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize\n\n3. setting Rails::HTML5::SafeListSanitizer class attribute `allowed_tags`:\n\n  ```ruby\n  # class-level option\n  Rails::HTML5::SafeListSanitizer.allowed_tags = [\"math\", \"mtext\", \"table\", \"style\", \"mglyph\"]\n  # or\n  Rails::HTML5::SafeListSanitizer.allowed_tags = [\"math\", \"mtext\", \"table\", \"style\", \"malignmark\"]\n  ```\n\n  (note that this class may also be referenced as `Rails::Html::SafeListSanitizer`)\n\n4. using a `:tags` options to the Rails::HTML5::SafeListSanitizer instance method `sanitize`:\n\n  ```ruby\n  # instance-level option\n  Rails::HTML5::SafeListSanitizer.new.sanitize(@article.body, tags: [\"math\", \"mtext\", \"table\", \"style\", \"mglyph\"])\n  # or\n  Rails::HTML5::SafeListSanitizer.new.sanitize(@article.body, tags: [\"math\", \"mtext\", \"table\", \"style\", \"malignmark\"])\n  ```\n\n  (note that this class may also be referenced as `Rails::Html::SafeListSanitizer`)\n\n5. setting ActionText::ContentHelper module attribute `allowed_tags`:\n\n  ```ruby\n  ActionText::ContentHelper.allowed_tags = [\"math\", \"mtext\", \"table\", \"style\", \"mglyph\"]\n  # or\n  ActionText::ContentHelper.allowed_tags = [\"math\", \"mtext\", \"table\", \"style\", \"malignmark\"]\n  ```\n\nAll users overriding the allowed tags by any of the above mechanisms to include (\"math\" and \"mtext\" and \"table\" and \"style\" and (\"mglyph\" or \"malignmark\")) should either upgrade or use one of the workarounds.\n\n\n## Workarounds\n\nAny one of the following actions will work around this issue:\n\n- Remove \"mglyph\" and \"malignmark\" from the overridden allowed tags,\n- Or, downgrade sanitization to HTML4 (see documentation for [`config.action_view.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-view-sanitizer-vendor) and [`config.action_text.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-text-sanitizer-vendor) for more information).\n\n\n## References\n\n- [CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)](https://cwe.mitre.org/data/definitions/79.html)\n- Original report: https://hackerone.com/reports/2519936\n\n## Credit\n\nThis vulnerability was responsibly reported by So Sakaguchi ([mokusou](https://hackerone.com/mokusou)) and [taise](https://hackerone.com/taise).","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-53988.json","reference_id":"","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-53988.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-53988","reference_id":"","reference_type":"","scores":[{"value":"0.01691","scoring_system":"epss","scoring_elements":"0.82269","published_at":"2026-04-21T12:55:00Z"},{"value":"0.01691","scoring_system":"epss","scoring_elements":"0.82267","published_at":"2026-04-18T12:55:00Z"},{"value":"0.01691","scoring_system":"epss","scoring_elements":"0.8223","published_at":"2026-04-13T12:55:00Z"},{"value":"0.01691","scoring_system":"epss","scoring_elements":"0.82236","published_at":"2026-04-12T12:55:00Z"},{"value":"0.01691","scoring_system":"epss","scoring_elements":"0.82174","published_at":"2026-04-02T12:55:00Z"},{"value":"0.01691","scoring_system":"epss","scoring_elements":"0.82224","published_at":"2026-04-09T12:55:00Z"},{"value":"0.01691","scoring_system":"epss","scoring_elements":"0.82217","published_at":"2026-04-08T12:55:00Z"},{"value":"0.01691","scoring_system":"epss","scoring_elements":"0.82191","published_at":"2026-04-07T12:55:00Z"},{"value":"0.01691","scoring_system":"epss","scoring_elements":"0.82195","published_at":"2026-04-04T12:55:00Z"},{"value":"0.01691","scoring_system":"epss","scoring_elements":"0.82244","published_at":"2026-04-11T12:55:00Z"},{"value":"0.0228","scoring_system":"epss","scoring_elements":"0.84751","published_at":"2026-05-05T12:55:00Z"},{"value":"0.0228","scoring_system":"epss","scoring_elements":"0.84725","published_at":"2026-04-24T12:55:00Z"},{"value":"0.0228","scoring_system":"epss","scoring_elements":"0.84734","published_at":"2026-04-26T12:55:00Z"},{"value":"0.0228","scoring_system":"epss","scoring_elements":"0.84736","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-53988"},{"reference_url":"https://github.com/rails/rails-html-sanitizer","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails-html-sanitizer"},{"reference_url":"https://github.com/rails/rails-html-sanitizer/commit/a0a3e8b76b696446ffc6bffcff3bc7b7c6393c72","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-03T14:34:13Z/"}],"url":"https://github.com/rails/rails-html-sanitizer/commit/a0a3e8b76b696446ffc6bffcff3bc7b7c6393c72"},{"reference_url":"https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-cfjx-w229-hgx5","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-03T14:34:13Z/"}],"url":"https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-cfjx-w229-hgx5"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2024-53988.yml","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2024-53988.yml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-53988","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-53988"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2330067","reference_id":"2330067","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2330067"},{"reference_url":"https://github.com/advisories/GHSA-cfjx-w229-hgx5","reference_id":"GHSA-cfjx-w229-hgx5","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-cfjx-w229-hgx5"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/938372?format=json","purl":"pkg:deb/debian/ruby-rails-html-sanitizer@0?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rails-html-sanitizer@0%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/938366?format=json","purl":"pkg:deb/debian/ruby-rails-html-sanitizer@1.3.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rails-html-sanitizer@1.3.0-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/938364?format=json","purl":"pkg:deb/debian/ruby-rails-html-sanitizer@1.4.4-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rails-html-sanitizer@1.4.4-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/938368?format=json","purl":"pkg:deb/debian/ruby-rails-html-sanitizer@1.6.2-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rails-html-sanitizer@1.6.2-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/938367?format=json","purl":"pkg:deb/debian/ruby-rails-html-sanitizer@1.7.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rails-html-sanitizer@1.7.0-1%3Fdistro=trixie"}],"aliases":["CVE-2024-53988","GHSA-cfjx-w229-hgx5"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rz3c-6h7r-6bam"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/14738?format=json","vulnerability_id":"VCID-ueen-aybd-tqh2","summary":"rails-html-sanitizer has XSS vulnerability with certain configurations\n## Summary\n\nThere is a possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer 1.6.0 when used with Rails >= 7.1.0.\n\n* Versions affected: 1.6.0\n* Not affected: < 1.6.0\n* Fixed versions: 1.6.1\n\n## Impact\n\nA possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer may allow an attacker to inject content if HTML5 sanitization is enabled and the application developer has overridden the sanitizer's allowed tags in the following way:\n\n- the \"math\" and \"style\" elements are both explicitly allowed\n\nCode is only impacted if Rails is configured to use HTML5 sanitization, please see documentation for [`config.action_view.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-view-sanitizer-vendor) and [`config.action_text.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-text-sanitizer-vendor) for more information on these configuration options.\n\nThe default configuration is to disallow these elements. Code is only impacted if allowed tags are being overridden. Applications may be doing this in a few different ways:\n\n1. using application configuration to configure Action View sanitizers' allowed tags:\n\n  ```ruby\n  # In config/application.rb\n  config.action_view.sanitized_allowed_tags = [\"math\", \"style\"]\n  ```\n\n  see https://guides.rubyonrails.org/configuring.html#configuring-action-view\n\n2. using a `:tags` option to the Action View helper `sanitize`:\n\n  ```\n  <%= sanitize @comment.body, tags: [\"math\", \"style\"] %>\n  ```\n\n  see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize\n\n3. setting Rails::HTML5::SafeListSanitizer class attribute `allowed_tags`:\n\n  ```ruby\n  # class-level option\n  Rails::HTML5::SafeListSanitizer.allowed_tags = [\"math\", \"style\"]\n  ```\n\n  (note that this class may also be referenced as `Rails::Html::SafeListSanitizer`)\n\n4. using a `:tags` options to the Rails::HTML5::SafeListSanitizer instance method `sanitize`:\n\n  ```ruby\n  # instance-level option\n  Rails::HTML5::SafeListSanitizer.new.sanitize(@article.body, tags: [\"math\", \"style\"])\n  ```\n\n  (note that this class may also be referenced as `Rails::Html::SafeListSanitizer`)\n\n5. setting ActionText::ContentHelper module attribute `allowed_tags`:\n\n  ```ruby\n  ActionText::ContentHelper.allowed_tags = [\"math\", \"style\"]\n  ```\n\nAll users overriding the allowed tags by any of the above mechanisms to include both \"math\" and \"style\" should either upgrade or use one of the workarounds.\n\n\n## Workarounds\n\nAny one of the following actions will work around this issue:\n\n- Remove \"math\" or \"style\" from the overridden allowed tags,\n- Or, downgrade sanitization to HTML4 (see documentation for [`config.action_view.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-view-sanitizer-vendor) and [`config.action_text.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-text-sanitizer-vendor) for more information).\n\n\n## References\n\n- [CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)](https://cwe.mitre.org/data/definitions/79.html)\n- Original report: https://hackerone.com/reports/2519941\n\n## Credit\n\nThis vulnerability was responsibly reported by So Sakaguchi ([mokusou](https://hackerone.com/mokusou)) and [taise](https://hackerone.com/taise).","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-53986.json","reference_id":"","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-53986.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-53986","reference_id":"","reference_type":"","scores":[{"value":"0.01968","scoring_system":"epss","scoring_elements":"0.83529","published_at":"2026-04-12T12:55:00Z"},{"value":"0.01968","scoring_system":"epss","scoring_elements":"0.83562","published_at":"2026-04-21T12:55:00Z"},{"value":"0.01968","scoring_system":"epss","scoring_elements":"0.83561","published_at":"2026-04-18T12:55:00Z"},{"value":"0.01968","scoring_system":"epss","scoring_elements":"0.83473","published_at":"2026-04-02T12:55:00Z"},{"value":"0.01968","scoring_system":"epss","scoring_elements":"0.83487","published_at":"2026-04-04T12:55:00Z"},{"value":"0.01968","scoring_system":"epss","scoring_elements":"0.83559","published_at":"2026-04-16T12:55:00Z"},{"value":"0.01968","scoring_system":"epss","scoring_elements":"0.83486","published_at":"2026-04-07T12:55:00Z"},{"value":"0.01968","scoring_system":"epss","scoring_elements":"0.83511","published_at":"2026-04-08T12:55:00Z"},{"value":"0.01968","scoring_system":"epss","scoring_elements":"0.8352","published_at":"2026-04-09T12:55:00Z"},{"value":"0.01968","scoring_system":"epss","scoring_elements":"0.83535","published_at":"2026-04-11T12:55:00Z"},{"value":"0.01968","scoring_system":"epss","scoring_elements":"0.83525","published_at":"2026-04-13T12:55:00Z"},{"value":"0.02649","scoring_system":"epss","scoring_elements":"0.85795","published_at":"2026-04-24T12:55:00Z"},{"value":"0.02649","scoring_system":"epss","scoring_elements":"0.85805","published_at":"2026-04-26T12:55:00Z"},{"value":"0.02649","scoring_system":"epss","scoring_elements":"0.85806","published_at":"2026-04-29T12:55:00Z"},{"value":"0.02649","scoring_system":"epss","scoring_elements":"0.85823","published_at":"2026-05-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-53986"},{"reference_url":"https://github.com/rails/rails-html-sanitizer","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails-html-sanitizer"},{"reference_url":"https://github.com/rails/rails-html-sanitizer/commit/f02ffbb8465e73920b6de0da940f5530f855965e","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-03T14:33:42Z/"}],"url":"https://github.com/rails/rails-html-sanitizer/commit/f02ffbb8465e73920b6de0da940f5530f855965e"},{"reference_url":"https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-638j-pmjw-jq48","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-03T14:33:42Z/"}],"url":"https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-638j-pmjw-jq48"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2024-53986.yml","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2024-53986.yml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-53986","reference_id":"","reference_type":"","scores":[{"value":"2.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-53986"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2330056","reference_id":"2330056","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2330056"},{"reference_url":"https://github.com/advisories/GHSA-638j-pmjw-jq48","reference_id":"GHSA-638j-pmjw-jq48","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-638j-pmjw-jq48"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/938372?format=json","purl":"pkg:deb/debian/ruby-rails-html-sanitizer@0?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rails-html-sanitizer@0%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/938366?format=json","purl":"pkg:deb/debian/ruby-rails-html-sanitizer@1.3.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rails-html-sanitizer@1.3.0-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/938364?format=json","purl":"pkg:deb/debian/ruby-rails-html-sanitizer@1.4.4-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rails-html-sanitizer@1.4.4-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/938368?format=json","purl":"pkg:deb/debian/ruby-rails-html-sanitizer@1.6.2-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rails-html-sanitizer@1.6.2-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/938367?format=json","purl":"pkg:deb/debian/ruby-rails-html-sanitizer@1.7.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rails-html-sanitizer@1.7.0-1%3Fdistro=trixie"}],"aliases":["CVE-2024-53986","GHSA-638j-pmjw-jq48"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ueen-aybd-tqh2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/7289?format=json","vulnerability_id":"VCID-ujza-s7ug-9fcp","summary":"XSS vulnerability in strip_tags\nDue to the way that `Rails::Html::FullSanitizer` is implemented, if an attacker passes an already escaped HTML entity to the input of Action View's `strip_tags` these entities will be unescaped what may cause a XSS attack if used in combination with `raw` or `html_safe`.","references":[{"reference_url":"http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178046.html","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178046.html"},{"reference_url":"http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178064.html","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178064.html"},{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html"},{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html"},{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2015-7579","reference_id":"","reference_type":"","scores":[{"value":"0.00166","scoring_system":"epss","scoring_elements":"0.37195","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00166","scoring_system":"epss","scoring_elements":"0.37592","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00166","scoring_system":"epss","scoring_elements":"0.37774","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00166","scoring_system":"epss","scoring_elements":"0.378","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00166","scoring_system":"epss","scoring_elements":"0.37679","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00166","scoring_system":"epss","scoring_elements":"0.37729","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00166","scoring_system":"epss","scoring_elements":"0.37742","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00166","scoring_system":"epss","scoring_elements":"0.37755","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00166","scoring_system":"epss","scoring_elements":"0.3772","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00166","scoring_system":"epss","scoring_elements":"0.37693","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00166","scoring_system":"epss","scoring_elements":"0.37741","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00166","scoring_system":"epss","scoring_elements":"0.37722","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00166","scoring_system":"epss","scoring_elements":"0.37661","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00166","scoring_system":"epss","scoring_elements":"0.37424","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00166","scoring_system":"epss","scoring_elements":"0.37402","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00166","scoring_system":"epss","scoring_elements":"0.37312","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2015-7579"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7579","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7579"},{"reference_url":"https://github.com/rails/rails-html-sanitizer","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails-html-sanitizer"},{"reference_url":"https://github.com/rails/rails-html-sanitizer/commit/49dfc1584c5b8e35a4ffabf8356ba3df025e8d3f","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails-html-sanitizer/commit/49dfc1584c5b8e35a4ffabf8356ba3df025e8d3f"},{"reference_url":"https://groups.google.com/forum/message/raw?msg=ruby-security-ann/OU9ugTZcbjc/uksRkSxZEgAJ","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/forum/message/raw?msg=ruby-security-ann/OU9ugTZcbjc/uksRkSxZEgAJ"},{"reference_url":"https://groups.google.com/forum/#!topic/rubyonrails-security/OU9ugTZcbjc","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3","scoring_elements":""}],"url":"https://groups.google.com/forum/#!topic/rubyonrails-security/OU9ugTZcbjc"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2015-7579","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv2","scoring_elements":"AV:N/AC:M/Au:N/C:N/I:P/A:N"},{"value":"6.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2015-7579"},{"reference_url":"https://web.archive.org/web/20160128075017/http://www.securitytracker.com/id/1034816","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20160128075017/http://www.securitytracker.com/id/1034816"},{"reference_url":"http://www.openwall.com/lists/oss-security/2016/01/25/12","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2016/01/25/12"},{"reference_url":"http://www.securitytracker.com/id/1034816","reference_id":"","reference_type":"","scores":[],"url":"http://www.securitytracker.com/id/1034816"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=812814","reference_id":"812814","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=812814"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:html_sanitizer:*:*:*:*:*:ruby:*:*","reference_id":"cpe:2.3:a:rubyonrails:html_sanitizer:*:*:*:*:*:ruby:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:html_sanitizer:*:*:*:*:*:ruby:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.0:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.0:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.0:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.0:beta1:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.0:beta1:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.0:beta1:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.0:beta2:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.0:beta2:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.0:beta2:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.0:beta3:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.0:beta3:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.0:beta3:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.0:beta4:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.0:beta4:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.0:beta4:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.0:rc1:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.0:rc1:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.0:rc1:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.0:rc2:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.0:rc2:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.0:rc2:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.0:rc3:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.0:rc3:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.0:rc3:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.1:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.1:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.1:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.1:rc1:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.1:rc1:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.1:rc1:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.1:rc2:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.1:rc2:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.1:rc2:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.1:rc3:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.1:rc3:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.1:rc3:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.1:rc4:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.1:rc4:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.1:rc4:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.2:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.2:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.2:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.3:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.3:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.3:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.3:rc1:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.3:rc1:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.3:rc1:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.4:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.4:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.4:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.4:rc1:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.4:rc1:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.4:rc1:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.5:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.5:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.5:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.5.1:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.5.1:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.5.1:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.5.2:*:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.5.2:*:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.5.2:*:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.5:rc1:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.5:rc1:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.5:rc1:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.5:rc2:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.5:rc2:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.5:rc2:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.6:rc1:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:4.2.6:rc1:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:4.2.6:rc1:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:5.0.0:beta1:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:5.0.0:beta1:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:5.0.0:beta1:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:5.0.0:beta1.1:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:5.0.0:beta1.1:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:5.0.0:beta1.1:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:5.0.0:beta2:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:5.0.0:beta2:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:5.0.0:beta2:*:*:*:*:*:*"},{"reference_url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:5.0.0:beta3:*:*:*:*:*:*","reference_id":"cpe:2.3:a:rubyonrails:rails:5.0.0:beta3:*:*:*:*:*:*","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rubyonrails:rails:5.0.0:beta3:*:*:*:*:*:*"},{"reference_url":"https://github.com/advisories/GHSA-r9c2-cr39-c8g6","reference_id":"GHSA-r9c2-cr39-c8g6","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-r9c2-cr39-c8g6"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/938365?format=json","purl":"pkg:deb/debian/ruby-rails-html-sanitizer@1.0.3-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rails-html-sanitizer@1.0.3-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/938366?format=json","purl":"pkg:deb/debian/ruby-rails-html-sanitizer@1.3.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rails-html-sanitizer@1.3.0-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/938364?format=json","purl":"pkg:deb/debian/ruby-rails-html-sanitizer@1.4.4-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rails-html-sanitizer@1.4.4-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/938368?format=json","purl":"pkg:deb/debian/ruby-rails-html-sanitizer@1.6.2-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rails-html-sanitizer@1.6.2-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/938367?format=json","purl":"pkg:deb/debian/ruby-rails-html-sanitizer@1.7.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rails-html-sanitizer@1.7.0-1%3Fdistro=trixie"}],"aliases":["CVE-2015-7579","GHSA-r9c2-cr39-c8g6"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ujza-s7ug-9fcp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/52655?format=json","vulnerability_id":"VCID-wxfr-bs81-augc","summary":"Improper neutralization of data URIs may allow XSS in rails-html-sanitizer\n## Summary\n\nrails-html-sanitizer `>= 1.0.3, < 1.4.4` is vulnerable to cross-site scripting via data URIs when used in combination with Loofah `>= 2.1.0`.\n\n\n## Mitigation\n\nUpgrade to rails-html-sanitizer `>= 1.4.4`.\n\n\n## Severity\n\nThe maintainers have evaluated this as [Medium Severity 6.1](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).\n\n\n## References\n\n- [CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)](https://cwe.mitre.org/data/definitions/79.html)\n- [SVG MIME Type (image/svg+xml) is misleading to developers · Issue #266 · w3c/svgwg](https://github.com/w3c/svgwg/issues/266)\n- https://github.com/rails/rails-html-sanitizer/issues/135\n- https://hackerone.com/reports/1694173\n\n\n## Credit\n\nThis vulnerability was independently reported by Maciej Piechota (@haqpl) and Mrinmoy Das (@goromlagche).","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-23518.json","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-23518.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-23518","reference_id":"","reference_type":"","scores":[{"value":"0.00253","scoring_system":"epss","scoring_elements":"0.48629","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00253","scoring_system":"epss","scoring_elements":"0.48616","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00253","scoring_system":"epss","scoring_elements":"0.48643","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00253","scoring_system":"epss","scoring_elements":"0.48625","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00253","scoring_system":"epss","scoring_elements":"0.4863","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00253","scoring_system":"epss","scoring_elements":"0.48576","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00254","scoring_system":"epss","scoring_elements":"0.48542","published_at":"2026-05-05T12:55:00Z"},{"value":"0.0026","scoring_system":"epss","scoring_elements":"0.49336","published_at":"2026-04-02T12:55:00Z"},{"value":"0.0026","scoring_system":"epss","scoring_elements":"0.49363","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00269","scoring_system":"epss","scoring_elements":"0.50483","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00269","scoring_system":"epss","scoring_elements":"0.50478","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00269","scoring_system":"epss","scoring_elements":"0.50415","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00269","scoring_system":"epss","scoring_elements":"0.50405","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00269","scoring_system":"epss","scoring_elements":"0.50459","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00269","scoring_system":"epss","scoring_elements":"0.50366","published_at":"2026-04-29T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-23518"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23518","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23518"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/rails/rails-html-sanitizer","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails-html-sanitizer"},{"reference_url":"https://github.com/rails/rails-html-sanitizer/issues/135","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails-html-sanitizer/issues/135"},{"reference_url":"https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-mcvf-2q2m-x72m","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3","scoring_elements":""},{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-mcvf-2q2m-x72m"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2022-23518.yml","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2022-23518.yml"},{"reference_url":"https://github.com/w3c/svgwg/issues/266","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/w3c/svgwg/issues/266"},{"reference_url":"https://hackerone.com/reports/1694173","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://hackerone.com/reports/1694173"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2023/09/msg00012.html","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2023/09/msg00012.html"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2024/09/msg00045.html","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2024/09/msg00045.html"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-23518","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-23518"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1027153","reference_id":"1027153","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1027153"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2153701","reference_id":"2153701","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2153701"},{"reference_url":"https://github.com/advisories/GHSA-mcvf-2q2m-x72m","reference_id":"GHSA-mcvf-2q2m-x72m","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-mcvf-2q2m-x72m"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:2097","reference_id":"RHSA-2023:2097","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:2097"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/938366?format=json","purl":"pkg:deb/debian/ruby-rails-html-sanitizer@1.3.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rails-html-sanitizer@1.3.0-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/938370?format=json","purl":"pkg:deb/debian/ruby-rails-html-sanitizer@1.3.0-1%2Bdeb11u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rails-html-sanitizer@1.3.0-1%252Bdeb11u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/938364?format=json","purl":"pkg:deb/debian/ruby-rails-html-sanitizer@1.4.4-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rails-html-sanitizer@1.4.4-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/938368?format=json","purl":"pkg:deb/debian/ruby-rails-html-sanitizer@1.6.2-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rails-html-sanitizer@1.6.2-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/938367?format=json","purl":"pkg:deb/debian/ruby-rails-html-sanitizer@1.7.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rails-html-sanitizer@1.7.0-1%3Fdistro=trixie"}],"aliases":["CVE-2022-23518","GHSA-mcvf-2q2m-x72m","GMS-2022-8300"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wxfr-bs81-augc"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/8924?format=json","vulnerability_id":"VCID-xby9-avva-a3e5","summary":"XSS vulnerability\nThe gem allows attributes that are not specified in the allowlist to be present in sanitized output when input with specially-crafted HTML fragments, and these attributes can lead to an XSS attack on target applications. This issue is similar to CVE-2018-8048 in Loofah.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-3741.json","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-3741.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-3741","reference_id":"","reference_type":"","scores":[{"value":"0.00129","scoring_system":"epss","scoring_elements":"0.3174","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00129","scoring_system":"epss","scoring_elements":"0.3235","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00129","scoring_system":"epss","scoring_elements":"0.32312","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00129","scoring_system":"epss","scoring_elements":"0.32284","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00129","scoring_system":"epss","scoring_elements":"0.32321","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00129","scoring_system":"epss","scoring_elements":"0.32297","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00129","scoring_system":"epss","scoring_elements":"0.32268","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00129","scoring_system":"epss","scoring_elements":"0.32093","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00129","scoring_system":"epss","scoring_elements":"0.31969","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00129","scoring_system":"epss","scoring_elements":"0.31887","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00129","scoring_system":"epss","scoring_elements":"0.32257","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00129","scoring_system":"epss","scoring_elements":"0.32408","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00129","scoring_system":"epss","scoring_elements":"0.32444","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00129","scoring_system":"epss","scoring_elements":"0.32271","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00129","scoring_system":"epss","scoring_elements":"0.3232","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00129","scoring_system":"epss","scoring_elements":"0.32349","published_at":"2026-04-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-3741"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3741","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3741"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/rails/rails-html-sanitizer","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails-html-sanitizer"},{"reference_url":"https://github.com/rails/rails-html-sanitizer/commit/f3ba1a839a35f2ba7f941c15e239a1cb379d56ae","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails-html-sanitizer/commit/f3ba1a839a35f2ba7f941c15e239a1cb379d56ae"},{"reference_url":"https://groups.google.com/d/msg/rubyonrails-security/tP7W3kLc5u4/uDy2Br7xBgAJ","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3","scoring_elements":""}],"url":"https://groups.google.com/d/msg/rubyonrails-security/tP7W3kLc5u4/uDy2Br7xBgAJ"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-3741","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-3741"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1568842","reference_id":"1568842","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1568842"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=893994","reference_id":"893994","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=893994"},{"reference_url":"https://github.com/advisories/GHSA-px3r-jm9g-c8w8","reference_id":"GHSA-px3r-jm9g-c8w8","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-px3r-jm9g-c8w8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/938369?format=json","purl":"pkg:deb/debian/ruby-rails-html-sanitizer@1.0.4-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rails-html-sanitizer@1.0.4-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/938366?format=json","purl":"pkg:deb/debian/ruby-rails-html-sanitizer@1.3.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rails-html-sanitizer@1.3.0-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/938364?format=json","purl":"pkg:deb/debian/ruby-rails-html-sanitizer@1.4.4-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rails-html-sanitizer@1.4.4-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/938368?format=json","purl":"pkg:deb/debian/ruby-rails-html-sanitizer@1.6.2-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rails-html-sanitizer@1.6.2-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/938367?format=json","purl":"pkg:deb/debian/ruby-rails-html-sanitizer@1.7.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rails-html-sanitizer@1.7.0-1%3Fdistro=trixie"}],"aliases":["CVE-2018-3741","GHSA-px3r-jm9g-c8w8"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xby9-avva-a3e5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/52792?format=json","vulnerability_id":"VCID-zcs7-hzze-u3a5","summary":"Possible XSS vulnerability with certain configurations of rails-html-sanitizer\n## Summary\n\nThere is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer. This is due to an incomplete fix of CVE-2022-32209.\n\n- Versions affected: ALL\n- Not affected: NONE\n- Fixed versions: 1.4.4\n\n\n## Impact\n\nA possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer may allow an attacker to inject content if the application developer has overridden the sanitizer's allowed tags to allow both \"select\" and \"style\" elements.\n\nCode is only impacted if allowed tags are being overridden using either of the following two mechanisms:\n\n1. Using the Rails configuration `config.action_view.sanitized_allow_tags=`:\n\n  ```ruby\n  # In config/application.rb\n  config.action_view.sanitized_allowed_tags = [\"select\", \"style\"]\n  ```\n\n  (see https://guides.rubyonrails.org/configuring.html#configuring-action-view)\n\n2. Using the class method `Rails::Html::SafeListSanitizer.allowed_tags=`:\n\n  ```ruby\n  # class-level option\n  Rails::Html::SafeListSanitizer.allowed_tags = [\"select\", \"style\"]\n  ```\n\nAll users overriding the allowed tags by either of the above mechanisms to include both \"select\" and \"style\" should either upgrade or use one of the workarounds immediately.\n\nNOTE: Code is _not_ impacted if allowed tags are overridden using either of the following mechanisms:\n\n- the `:tags` option to the Action View helper method `sanitize`.\n- the `:tags` option to the instance method `SafeListSanitizer#sanitize`.\n\n\n## Workarounds\n\nRemove either \"select\" or \"style\" from the overridden allowed tags.\n\n\n## References\n\n- [CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)](https://cwe.mitre.org/data/definitions/79.html)\n- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32209\n- https://hackerone.com/reports/1654310\n\n\n## Credit\n\nThis vulnerability was responsibly reported by Dominic Breuker.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-23520.json","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-23520.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-23520","reference_id":"","reference_type":"","scores":[{"value":"0.00335","scoring_system":"epss","scoring_elements":"0.56203","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00335","scoring_system":"epss","scoring_elements":"0.56249","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00335","scoring_system":"epss","scoring_elements":"0.56272","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00335","scoring_system":"epss","scoring_elements":"0.56251","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00335","scoring_system":"epss","scoring_elements":"0.5636","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00335","scoring_system":"epss","scoring_elements":"0.56328","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00335","scoring_system":"epss","scoring_elements":"0.56345","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00335","scoring_system":"epss","scoring_elements":"0.5637","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00335","scoring_system":"epss","scoring_elements":"0.56359","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00335","scoring_system":"epss","scoring_elements":"0.56354","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00335","scoring_system":"epss","scoring_elements":"0.56303","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00344","scoring_system":"epss","scoring_elements":"0.57022","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00344","scoring_system":"epss","scoring_elements":"0.56999","published_at":"2026-04-02T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-23520"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23520","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23520"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/rails/rails-html-sanitizer","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails-html-sanitizer"},{"reference_url":"https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-rrfc-7g8p-99q8","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3","scoring_elements":""},{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-rrfc-7g8p-99q8"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2022-23520.yml","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2022-23520.yml"},{"reference_url":"https://hackerone.com/reports/1654310","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://hackerone.com/reports/1654310"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2023/09/msg00012.html","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2023/09/msg00012.html"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2024/09/msg00045.html","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2024/09/msg00045.html"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-23520","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-23520"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1027153","reference_id":"1027153","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1027153"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2153751","reference_id":"2153751","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2153751"},{"reference_url":"https://github.com/advisories/GHSA-rrfc-7g8p-99q8","reference_id":"GHSA-rrfc-7g8p-99q8","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rrfc-7g8p-99q8"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:2097","reference_id":"RHSA-2023:2097","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:2097"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/938366?format=json","purl":"pkg:deb/debian/ruby-rails-html-sanitizer@1.3.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rails-html-sanitizer@1.3.0-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/938370?format=json","purl":"pkg:deb/debian/ruby-rails-html-sanitizer@1.3.0-1%2Bdeb11u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rails-html-sanitizer@1.3.0-1%252Bdeb11u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/938364?format=json","purl":"pkg:deb/debian/ruby-rails-html-sanitizer@1.4.4-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rails-html-sanitizer@1.4.4-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/938368?format=json","purl":"pkg:deb/debian/ruby-rails-html-sanitizer@1.6.2-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rails-html-sanitizer@1.6.2-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/938367?format=json","purl":"pkg:deb/debian/ruby-rails-html-sanitizer@1.7.0-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rails-html-sanitizer@1.7.0-1%3Fdistro=trixie"}],"aliases":["CVE-2022-23520","GHSA-rrfc-7g8p-99q8","GMS-2022-8301"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zcs7-hzze-u3a5"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rails-html-sanitizer@1.4.4-1%3Fdistro=trixie"}