VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-adx2-9m5x-bqde

Essentials
Severities (99)
References (10)
Severity details (15)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-adx2-9m5x-bqde
Aliases	CVE-2024-53985 GHSA-w8gc-x259-rc7x
Summary	rails-html-sanitizer has XSS vulnerability with certain configurations ## Summary There is a possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer 1.6.0 when used with Rails >= 7.1.0 and Nokogiri < 1.15.7, or 1.16.x < 1.16.8. * Versions affected: 1.6.0 * Not affected: < 1.6.0 * Fixed versions: 1.6.1 Please note that the fix in v1.6.1 is to update the dependency on Nokogiri to 1.15.7 or >= 1.16.8. ## Impact A possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer may allow an attacker to inject content if HTML5 sanitization is enabled and the application developer has overridden the sanitizer's allowed tags in either of the following ways: * allow both "math" and "style" elements * or allow both "svg" and "style" elements Code is only impacted if Rails is configured to use HTML5 sanitization, please see documentation for [`config.action_view.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-view-sanitizer-vendor) and [`config.action_text.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-text-sanitizer-vendor) for more information on these configuration options. Code is only impacted if allowed tags are being overridden. Applications may be doing this in a few different ways: 1. using application configuration to configure Action View sanitizers' allowed tags: ```ruby # In config/application.rb config.action_view.sanitized_allowed_tags = ["math", "style"] # or config.action_view.sanitized_allowed_tags = ["svg", "style"] ``` see https://guides.rubyonrails.org/configuring.html#configuring-action-view 2. using a `:tags` option to the Action View helper `sanitize`: ``` <= sanitize @comment.body, tags: ["math", "style"] > <# or> <= sanitize @comment.body, tags: ["svg", "style"] > ``` see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize 3. setting Rails::HTML5::SafeListSanitizer class attribute `allowed_tags`: ```ruby # class-level option Rails::HTML5::SafeListSanitizer.allowed_tags = ["math", "style"] # or Rails::HTML5::SafeListSanitizer.allowed_tags = ["svg", "style"] ``` (note that this class may also be referenced as `Rails::Html::SafeListSanitizer`) 4. using a `:tags` options to the Rails::HTML5::SafeListSanitizer instance method `sanitize`: ```ruby # instance-level option Rails::HTML5::SafeListSanitizer.new.sanitize(@article.body, tags: ["math", "style"]) # or Rails::HTML5::SafeListSanitizer.new.sanitize(@article.body, tags: ["svg", "style"]) ``` (note that this class may also be referenced as `Rails::Html::SafeListSanitizer`) 5. setting ActionText::ContentHelper module attribute `allowed_tags`: ```ruby ActionText::ContentHelper.allowed_tags = ["math", "style"] # or ActionText::ContentHelper.allowed_tags = ["svg", "style"] ``` All users overriding the allowed tags by any of the above mechanisms to include (("math" or "svg") and "style") should either upgrade or use one of the workarounds. ## Workarounds Any one of the following actions will work around this issue: - Remove "style" from the overridden allowed tags, - Or, remove "math" and "svg" from the overridden allowed tags, - Or, downgrade sanitization to HTML4 (see documentation for [`config.action_view.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-view-sanitizer-vendor) and [`config.action_text.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-text-sanitizer-vendor) for more information) - Or, independently upgrade Nokogiri to v1.15.7 or >= 1.16.8. ## References - [CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)](https://cwe.mitre.org/data/definitions/79.html) - Original report: https://hackerone.com/reports/2503220 ## Credit This vulnerability was responsibly reported by HackerOne user [@taise](https://hackerone.com/taise?type=user).
Status	Published
Exploitability	0.5
Weighted Severity	2.8
Risk	1.4
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3	3.1	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-53985.json
epss	0.00045	https://api.first.org/data/v1/epss?cve=CVE-2024-53985
epss	0.00045	https://api.first.org/data/v1/epss?cve=CVE-2024-53985
epss	0.00045	https://api.first.org/data/v1/epss?cve=CVE-2024-53985
epss	0.00045	https://api.first.org/data/v1/epss?cve=CVE-2024-53985
epss	0.00045	https://api.first.org/data/v1/epss?cve=CVE-2024-53985
epss	0.00045	https://api.first.org/data/v1/epss?cve=CVE-2024-53985
epss	0.00045	https://api.first.org/data/v1/epss?cve=CVE-2024-53985
epss	0.00045	https://api.first.org/data/v1/epss?cve=CVE-2024-53985
epss	0.00064	https://api.first.org/data/v1/epss?cve=CVE-2024-53985
epss	0.00064	https://api.first.org/data/v1/epss?cve=CVE-2024-53985
epss	0.00064	https://api.first.org/data/v1/epss?cve=CVE-2024-53985
epss	0.00064	https://api.first.org/data/v1/epss?cve=CVE-2024-53985
epss	0.0007	https://api.first.org/data/v1/epss?cve=CVE-2024-53985
epss	0.00081	https://api.first.org/data/v1/epss?cve=CVE-2024-53985
epss	0.00081	https://api.first.org/data/v1/epss?cve=CVE-2024-53985
epss	0.00081	https://api.first.org/data/v1/epss?cve=CVE-2024-53985
epss	0.00081	https://api.first.org/data/v1/epss?cve=CVE-2024-53985
epss	0.00081	https://api.first.org/data/v1/epss?cve=CVE-2024-53985
epss	0.00088	https://api.first.org/data/v1/epss?cve=CVE-2024-53985
epss	0.00097	https://api.first.org/data/v1/epss?cve=CVE-2024-53985
epss	0.00098	https://api.first.org/data/v1/epss?cve=CVE-2024-53985
epss	0.00098	https://api.first.org/data/v1/epss?cve=CVE-2024-53985
epss	0.00098	https://api.first.org/data/v1/epss?cve=CVE-2024-53985
epss	0.00098	https://api.first.org/data/v1/epss?cve=CVE-2024-53985
epss	0.00098	https://api.first.org/data/v1/epss?cve=CVE-2024-53985
epss	0.00098	https://api.first.org/data/v1/epss?cve=CVE-2024-53985
epss	0.00098	https://api.first.org/data/v1/epss?cve=CVE-2024-53985
epss	0.00107	https://api.first.org/data/v1/epss?cve=CVE-2024-53985
epss	0.00107	https://api.first.org/data/v1/epss?cve=CVE-2024-53985
epss	0.00125	https://api.first.org/data/v1/epss?cve=CVE-2024-53985
epss	0.00125	https://api.first.org/data/v1/epss?cve=CVE-2024-53985
epss	0.00125	https://api.first.org/data/v1/epss?cve=CVE-2024-53985
epss	0.00125	https://api.first.org/data/v1/epss?cve=CVE-2024-53985
epss	0.00125	https://api.first.org/data/v1/epss?cve=CVE-2024-53985
epss	0.00125	https://api.first.org/data/v1/epss?cve=CVE-2024-53985
epss	0.00125	https://api.first.org/data/v1/epss?cve=CVE-2024-53985
epss	0.00125	https://api.first.org/data/v1/epss?cve=CVE-2024-53985
epss	0.00125	https://api.first.org/data/v1/epss?cve=CVE-2024-53985
epss	0.00125	https://api.first.org/data/v1/epss?cve=CVE-2024-53985
epss	0.00125	https://api.first.org/data/v1/epss?cve=CVE-2024-53985
epss	0.00125	https://api.first.org/data/v1/epss?cve=CVE-2024-53985
epss	0.00125	https://api.first.org/data/v1/epss?cve=CVE-2024-53985
epss	0.00125	https://api.first.org/data/v1/epss?cve=CVE-2024-53985
epss	0.00125	https://api.first.org/data/v1/epss?cve=CVE-2024-53985
epss	0.00125	https://api.first.org/data/v1/epss?cve=CVE-2024-53985
epss	0.00125	https://api.first.org/data/v1/epss?cve=CVE-2024-53985
epss	0.00125	https://api.first.org/data/v1/epss?cve=CVE-2024-53985
epss	0.00125	https://api.first.org/data/v1/epss?cve=CVE-2024-53985
epss	0.00125	https://api.first.org/data/v1/epss?cve=CVE-2024-53985
epss	0.00125	https://api.first.org/data/v1/epss?cve=CVE-2024-53985
epss	0.00125	https://api.first.org/data/v1/epss?cve=CVE-2024-53985
epss	0.00125	https://api.first.org/data/v1/epss?cve=CVE-2024-53985
epss	0.00125	https://api.first.org/data/v1/epss?cve=CVE-2024-53985
epss	0.00125	https://api.first.org/data/v1/epss?cve=CVE-2024-53985
epss	0.00125	https://api.first.org/data/v1/epss?cve=CVE-2024-53985
epss	0.00125	https://api.first.org/data/v1/epss?cve=CVE-2024-53985
epss	0.00125	https://api.first.org/data/v1/epss?cve=CVE-2024-53985
epss	0.00147	https://api.first.org/data/v1/epss?cve=CVE-2024-53985
epss	0.00147	https://api.first.org/data/v1/epss?cve=CVE-2024-53985
epss	0.00147	https://api.first.org/data/v1/epss?cve=CVE-2024-53985
epss	0.00147	https://api.first.org/data/v1/epss?cve=CVE-2024-53985
epss	0.00147	https://api.first.org/data/v1/epss?cve=CVE-2024-53985
epss	0.00147	https://api.first.org/data/v1/epss?cve=CVE-2024-53985
epss	0.00147	https://api.first.org/data/v1/epss?cve=CVE-2024-53985
epss	0.00147	https://api.first.org/data/v1/epss?cve=CVE-2024-53985
epss	0.00147	https://api.first.org/data/v1/epss?cve=CVE-2024-53985
epss	0.00147	https://api.first.org/data/v1/epss?cve=CVE-2024-53985
epss	0.00147	https://api.first.org/data/v1/epss?cve=CVE-2024-53985
epss	0.00147	https://api.first.org/data/v1/epss?cve=CVE-2024-53985
epss	0.00147	https://api.first.org/data/v1/epss?cve=CVE-2024-53985
epss	0.00147	https://api.first.org/data/v1/epss?cve=CVE-2024-53985
epss	0.00147	https://api.first.org/data/v1/epss?cve=CVE-2024-53985
epss	0.00147	https://api.first.org/data/v1/epss?cve=CVE-2024-53985
epss	0.00147	https://api.first.org/data/v1/epss?cve=CVE-2024-53985
epss	0.00147	https://api.first.org/data/v1/epss?cve=CVE-2024-53985
epss	0.00147	https://api.first.org/data/v1/epss?cve=CVE-2024-53985
epss	0.00147	https://api.first.org/data/v1/epss?cve=CVE-2024-53985
epss	0.00147	https://api.first.org/data/v1/epss?cve=CVE-2024-53985
epss	0.00147	https://api.first.org/data/v1/epss?cve=CVE-2024-53985
epss	0.00147	https://api.first.org/data/v1/epss?cve=CVE-2024-53985
epss	0.00147	https://api.first.org/data/v1/epss?cve=CVE-2024-53985
epss	0.00147	https://api.first.org/data/v1/epss?cve=CVE-2024-53985
epss	0.00147	https://api.first.org/data/v1/epss?cve=CVE-2024-53985
epss	0.00284	https://api.first.org/data/v1/epss?cve=CVE-2024-53985
cvssv3.1_qr	LOW	https://github.com/advisories/GHSA-w8gc-x259-rc7x
generic_textual	LOW	https://github.com/rails/rails-html-sanitizer
cvssv4	2.3	https://github.com/rails/rails-html-sanitizer/commit/b0220b8850d52199a15f83c472d175a4122dd7b1
generic_textual	LOW	https://github.com/rails/rails-html-sanitizer/commit/b0220b8850d52199a15f83c472d175a4122dd7b1
ssvc	Track	https://github.com/rails/rails-html-sanitizer/commit/b0220b8850d52199a15f83c472d175a4122dd7b1
cvssv4	2.3	https://github.com/rails/rails-html-sanitizer/commit/cd18b0ef00aad1d4a9e1c5d860cd23f80f63c505
generic_textual	LOW	https://github.com/rails/rails-html-sanitizer/commit/cd18b0ef00aad1d4a9e1c5d860cd23f80f63c505
ssvc	Track	https://github.com/rails/rails-html-sanitizer/commit/cd18b0ef00aad1d4a9e1c5d860cd23f80f63c505
cvssv3.1_qr	LOW	https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-w8gc-x259-rc7x
cvssv4	2.3	https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-w8gc-x259-rc7x
generic_textual	LOW	https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-w8gc-x259-rc7x
ssvc	Track	https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-w8gc-x259-rc7x
generic_textual	LOW	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2024-53985.yml
generic_textual	LOW	https://nvd.nist.gov/vuln/detail/CVE-2024-53985

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-53985.json
		https://api.first.org/data/v1/epss?cve=CVE-2024-53985
		https://github.com/rails/rails-html-sanitizer
		https://github.com/rails/rails-html-sanitizer/commit/b0220b8850d52199a15f83c472d175a4122dd7b1
		https://github.com/rails/rails-html-sanitizer/commit/cd18b0ef00aad1d4a9e1c5d860cd23f80f63c505
		https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-w8gc-x259-rc7x
2330061		https://bugzilla.redhat.com/show_bug.cgi?id=2330061
CVE-2024-53985		https://nvd.nist.gov/vuln/detail/CVE-2024-53985
CVE-2024-53985.YML		https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2024-53985.yml
GHSA-w8gc-x259-rc7x		https://github.com/advisories/GHSA-w8gc-x259-rc7x

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-53985.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N Found at https://github.com/rails/rails-html-sanitizer/commit/b0220b8850d52199a15f83c472d175a4122dd7b1

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-11T16:47:47Z/ Found at https://github.com/rails/rails-html-sanitizer/commit/b0220b8850d52199a15f83c472d175a4122dd7b1

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N Found at https://github.com/rails/rails-html-sanitizer/commit/cd18b0ef00aad1d4a9e1c5d860cd23f80f63c505

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-11T16:47:47Z/ Found at https://github.com/rails/rails-html-sanitizer/commit/cd18b0ef00aad1d4a9e1c5d860cd23f80f63c505

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N Found at https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-w8gc-x259-rc7x

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-11T16:47:47Z/ Found at https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-w8gc-x259-rc7x

Exploit Prediction Scoring System (EPSS)

Percentile	0.17329
EPSS Score	0.00045
Published At	Dec. 3, 2024, midnight

Date	Actor	Action	Source	VulnerableCode Version
2024-12-04T05:51:59.955182+00:00	Ruby Importer	Import	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2024-53985.yml	35.0.0