VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-sq46-54yu-kbfk

Essentials
Severities (95)
References (9)
Severity details (12)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-sq46-54yu-kbfk
Aliases	CVE-2024-53988 GHSA-cfjx-w229-hgx5
Summary	rails-html-sanitizer has XSS vulnerability with certain configurations ## Summary There is a possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer 1.6.0 when used with Rails >= 7.1.0. * Versions affected: 1.6.0 * Not affected: < 1.6.0 * Fixed versions: 1.6.1 ## Impact A possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer may allow an attacker to inject content if HTML5 sanitization is enabled and the application developer has overridden the sanitizer's allowed tags in the following way: - the "math", "mtext", "table", and "style" elements are allowed - and either "mglyph" or "malignmark" are allowed Code is only impacted if Rails is configured to use HTML5 sanitization, please see documentation for [`config.action_view.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-view-sanitizer-vendor) and [`config.action_text.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-text-sanitizer-vendor) for more information on these configuration options. The default configuration is to disallow all of these elements except for "table". Code is only impacted if allowed tags are being overridden. Applications may be doing this in a few different ways: 1. using application configuration to configure Action View sanitizers' allowed tags: ```ruby # In config/application.rb config.action_view.sanitized_allowed_tags = ["math", "mtext", "table", "style", "mglyph"] # or config.action_view.sanitized_allowed_tags = ["math", "mtext", "table", "style", "malignmark"] ``` see https://guides.rubyonrails.org/configuring.html#configuring-action-view 2. using a `:tags` option to the Action View helper `sanitize`: ``` <= sanitize @comment.body, tags: ["math", "mtext", "table", "style", "mglyph"] > <# or > <= sanitize @comment.body, tags: ["math", "mtext", "table", "style", "malignmark"] > ``` see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize 3. setting Rails::HTML5::SafeListSanitizer class attribute `allowed_tags`: ```ruby # class-level option Rails::HTML5::SafeListSanitizer.allowed_tags = ["math", "mtext", "table", "style", "mglyph"] # or Rails::HTML5::SafeListSanitizer.allowed_tags = ["math", "mtext", "table", "style", "malignmark"] ``` (note that this class may also be referenced as `Rails::Html::SafeListSanitizer`) 4. using a `:tags` options to the Rails::HTML5::SafeListSanitizer instance method `sanitize`: ```ruby # instance-level option Rails::HTML5::SafeListSanitizer.new.sanitize(@article.body, tags: ["math", "mtext", "table", "style", "mglyph"]) # or Rails::HTML5::SafeListSanitizer.new.sanitize(@article.body, tags: ["math", "mtext", "table", "style", "malignmark"]) ``` (note that this class may also be referenced as `Rails::Html::SafeListSanitizer`) 5. setting ActionText::ContentHelper module attribute `allowed_tags`: ```ruby ActionText::ContentHelper.allowed_tags = ["math", "mtext", "table", "style", "mglyph"] # or ActionText::ContentHelper.allowed_tags = ["math", "mtext", "table", "style", "malignmark"] ``` All users overriding the allowed tags by any of the above mechanisms to include ("math" and "mtext" and "table" and "style" and ("mglyph" or "malignmark")) should either upgrade or use one of the workarounds. ## Workarounds Any one of the following actions will work around this issue: - Remove "mglyph" and "malignmark" from the overridden allowed tags, - Or, downgrade sanitization to HTML4 (see documentation for [`config.action_view.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-view-sanitizer-vendor) and [`config.action_text.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-text-sanitizer-vendor) for more information). ## References - [CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)](https://cwe.mitre.org/data/definitions/79.html) - Original report: https://hackerone.com/reports/2519936 ## Credit This vulnerability was responsibly reported by So Sakaguchi (mokusou).
Status	Published
Exploitability	0.5
Weighted Severity	2.8
Risk	1.4
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3	3.1	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-53988.json
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2024-53988
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2024-53988
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2024-53988
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2024-53988
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2024-53988
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2024-53988
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2024-53988
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2024-53988
epss	0.00054	https://api.first.org/data/v1/epss?cve=CVE-2024-53988
epss	0.00054	https://api.first.org/data/v1/epss?cve=CVE-2024-53988
epss	0.00054	https://api.first.org/data/v1/epss?cve=CVE-2024-53988
epss	0.00054	https://api.first.org/data/v1/epss?cve=CVE-2024-53988
epss	0.00054	https://api.first.org/data/v1/epss?cve=CVE-2024-53988
epss	0.00054	https://api.first.org/data/v1/epss?cve=CVE-2024-53988
epss	0.00068	https://api.first.org/data/v1/epss?cve=CVE-2024-53988
epss	0.00068	https://api.first.org/data/v1/epss?cve=CVE-2024-53988
epss	0.00068	https://api.first.org/data/v1/epss?cve=CVE-2024-53988
epss	0.00068	https://api.first.org/data/v1/epss?cve=CVE-2024-53988
epss	0.00068	https://api.first.org/data/v1/epss?cve=CVE-2024-53988
epss	0.00068	https://api.first.org/data/v1/epss?cve=CVE-2024-53988
epss	0.00068	https://api.first.org/data/v1/epss?cve=CVE-2024-53988
epss	0.00068	https://api.first.org/data/v1/epss?cve=CVE-2024-53988
epss	0.00068	https://api.first.org/data/v1/epss?cve=CVE-2024-53988
epss	0.00075	https://api.first.org/data/v1/epss?cve=CVE-2024-53988
epss	0.00075	https://api.first.org/data/v1/epss?cve=CVE-2024-53988
epss	0.00075	https://api.first.org/data/v1/epss?cve=CVE-2024-53988
epss	0.00075	https://api.first.org/data/v1/epss?cve=CVE-2024-53988
epss	0.00075	https://api.first.org/data/v1/epss?cve=CVE-2024-53988
epss	0.00082	https://api.first.org/data/v1/epss?cve=CVE-2024-53988
epss	0.00082	https://api.first.org/data/v1/epss?cve=CVE-2024-53988
epss	0.00082	https://api.first.org/data/v1/epss?cve=CVE-2024-53988
epss	0.00082	https://api.first.org/data/v1/epss?cve=CVE-2024-53988
epss	0.00096	https://api.first.org/data/v1/epss?cve=CVE-2024-53988
epss	0.00096	https://api.first.org/data/v1/epss?cve=CVE-2024-53988
epss	0.00096	https://api.first.org/data/v1/epss?cve=CVE-2024-53988
epss	0.00096	https://api.first.org/data/v1/epss?cve=CVE-2024-53988
epss	0.00096	https://api.first.org/data/v1/epss?cve=CVE-2024-53988
epss	0.00096	https://api.first.org/data/v1/epss?cve=CVE-2024-53988
epss	0.00096	https://api.first.org/data/v1/epss?cve=CVE-2024-53988
epss	0.00096	https://api.first.org/data/v1/epss?cve=CVE-2024-53988
epss	0.00096	https://api.first.org/data/v1/epss?cve=CVE-2024-53988
epss	0.00096	https://api.first.org/data/v1/epss?cve=CVE-2024-53988
epss	0.00096	https://api.first.org/data/v1/epss?cve=CVE-2024-53988
epss	0.00096	https://api.first.org/data/v1/epss?cve=CVE-2024-53988
epss	0.00096	https://api.first.org/data/v1/epss?cve=CVE-2024-53988
epss	0.00096	https://api.first.org/data/v1/epss?cve=CVE-2024-53988
epss	0.00096	https://api.first.org/data/v1/epss?cve=CVE-2024-53988
epss	0.00096	https://api.first.org/data/v1/epss?cve=CVE-2024-53988
epss	0.00096	https://api.first.org/data/v1/epss?cve=CVE-2024-53988
epss	0.00096	https://api.first.org/data/v1/epss?cve=CVE-2024-53988
epss	0.00096	https://api.first.org/data/v1/epss?cve=CVE-2024-53988
epss	0.00096	https://api.first.org/data/v1/epss?cve=CVE-2024-53988
epss	0.00096	https://api.first.org/data/v1/epss?cve=CVE-2024-53988
epss	0.00096	https://api.first.org/data/v1/epss?cve=CVE-2024-53988
epss	0.00096	https://api.first.org/data/v1/epss?cve=CVE-2024-53988
epss	0.00096	https://api.first.org/data/v1/epss?cve=CVE-2024-53988
epss	0.00113	https://api.first.org/data/v1/epss?cve=CVE-2024-53988
epss	0.00113	https://api.first.org/data/v1/epss?cve=CVE-2024-53988
epss	0.00113	https://api.first.org/data/v1/epss?cve=CVE-2024-53988
epss	0.00113	https://api.first.org/data/v1/epss?cve=CVE-2024-53988
epss	0.00113	https://api.first.org/data/v1/epss?cve=CVE-2024-53988
epss	0.00113	https://api.first.org/data/v1/epss?cve=CVE-2024-53988
epss	0.00113	https://api.first.org/data/v1/epss?cve=CVE-2024-53988
epss	0.00113	https://api.first.org/data/v1/epss?cve=CVE-2024-53988
epss	0.00113	https://api.first.org/data/v1/epss?cve=CVE-2024-53988
epss	0.00113	https://api.first.org/data/v1/epss?cve=CVE-2024-53988
epss	0.00113	https://api.first.org/data/v1/epss?cve=CVE-2024-53988
epss	0.00113	https://api.first.org/data/v1/epss?cve=CVE-2024-53988
epss	0.00113	https://api.first.org/data/v1/epss?cve=CVE-2024-53988
epss	0.00113	https://api.first.org/data/v1/epss?cve=CVE-2024-53988
epss	0.00113	https://api.first.org/data/v1/epss?cve=CVE-2024-53988
epss	0.00113	https://api.first.org/data/v1/epss?cve=CVE-2024-53988
epss	0.00113	https://api.first.org/data/v1/epss?cve=CVE-2024-53988
epss	0.00113	https://api.first.org/data/v1/epss?cve=CVE-2024-53988
epss	0.00113	https://api.first.org/data/v1/epss?cve=CVE-2024-53988
epss	0.00113	https://api.first.org/data/v1/epss?cve=CVE-2024-53988
epss	0.00113	https://api.first.org/data/v1/epss?cve=CVE-2024-53988
epss	0.00113	https://api.first.org/data/v1/epss?cve=CVE-2024-53988
epss	0.00113	https://api.first.org/data/v1/epss?cve=CVE-2024-53988
epss	0.00113	https://api.first.org/data/v1/epss?cve=CVE-2024-53988
epss	0.00113	https://api.first.org/data/v1/epss?cve=CVE-2024-53988
epss	0.00113	https://api.first.org/data/v1/epss?cve=CVE-2024-53988
epss	0.00219	https://api.first.org/data/v1/epss?cve=CVE-2024-53988
cvssv3.1_qr	LOW	https://github.com/advisories/GHSA-cfjx-w229-hgx5
generic_textual	LOW	https://github.com/rails/rails-html-sanitizer
cvssv4	2.3	https://github.com/rails/rails-html-sanitizer/commit/a0a3e8b76b696446ffc6bffcff3bc7b7c6393c72
generic_textual	LOW	https://github.com/rails/rails-html-sanitizer/commit/a0a3e8b76b696446ffc6bffcff3bc7b7c6393c72
ssvc	Track	https://github.com/rails/rails-html-sanitizer/commit/a0a3e8b76b696446ffc6bffcff3bc7b7c6393c72
cvssv3.1_qr	LOW	https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-cfjx-w229-hgx5
cvssv4	2.3	https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-cfjx-w229-hgx5
generic_textual	LOW	https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-cfjx-w229-hgx5
ssvc	Track	https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-cfjx-w229-hgx5
generic_textual	LOW	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2024-53988.yml
generic_textual	LOW	https://nvd.nist.gov/vuln/detail/CVE-2024-53988

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-53988.json
		https://api.first.org/data/v1/epss?cve=CVE-2024-53988
		https://github.com/rails/rails-html-sanitizer
		https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-cfjx-w229-hgx5
2330067		https://bugzilla.redhat.com/show_bug.cgi?id=2330067
a0a3e8b76b696446ffc6bffcff3bc7b7c6393c72		https://github.com/rails/rails-html-sanitizer/commit/a0a3e8b76b696446ffc6bffcff3bc7b7c6393c72
CVE-2024-53988		https://nvd.nist.gov/vuln/detail/CVE-2024-53988
CVE-2024-53988.YML		https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2024-53988.yml
GHSA-cfjx-w229-hgx5		https://github.com/advisories/GHSA-cfjx-w229-hgx5

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-53988.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N Found at https://github.com/rails/rails-html-sanitizer/commit/a0a3e8b76b696446ffc6bffcff3bc7b7c6393c72

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-03T14:34:13Z/ Found at https://github.com/rails/rails-html-sanitizer/commit/a0a3e8b76b696446ffc6bffcff3bc7b7c6393c72

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N Found at https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-cfjx-w229-hgx5

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-03T14:34:13Z/ Found at https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-cfjx-w229-hgx5

Exploit Prediction Scoring System (EPSS)

Percentile	0.10484
EPSS Score	0.00043
Published At	Dec. 3, 2024, midnight

Date	Actor	Action	Source	VulnerableCode Version
2024-12-04T05:51:59.405471+00:00	Ruby Importer	Import	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2024-53988.yml	35.0.0