-
-
Notifications
You must be signed in to change notification settings - Fork 221
/
CVE-2022-32209.yml
62 lines (46 loc) · 1.89 KB
/
CVE-2022-32209.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
---
gem: rails-html-sanitizer
cve: 2022-32209
ghsa: pg8v-g4xq-hww9
url: https://groups.google.com/g/rubyonrails-security/c/ce9PhUANQ6s
title: Possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer
date: 2022-06-09
description: |
There is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.
This vulnerability has been assigned the CVE identifier CVE-2022-32209.
Versions Affected: ALL
Not affected: NONE
Fixed Versions: v1.4.3
## Impact
A possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer
may allow an attacker to inject content if the application developer has overridden
the sanitizer's allowed tags to allow both `select` and `style` elements.
Code is only impacted if allowed tags are being overridden. This may be done via
application configuration:
```ruby
# In config/application.rb
config.action_view.sanitized_allowed_tags = ["select", "style"]
```
see https://guides.rubyonrails.org/configuring.html#configuring-action-view
Or it may be done with a `:tags` option to the Action View helper `sanitize`:
```
<%= sanitize @comment.body, tags: ["select", "style"] %>
```
see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize
Or it may be done with Rails::Html::SafeListSanitizer directly:
```ruby
# class-level option
Rails::Html::SafeListSanitizer.allowed_tags = ["select", "style"]
```
or
```ruby
# instance-level option
Rails::Html::SafeListSanitizer.new.sanitize(@article.body, tags: ["select", "style"])
```
All users overriding the allowed tags by any of the above mechanisms to include
both "select" and "style" should either upgrade or use one of the workarounds immediately.
## Workarounds
Remove either `select` or `style` from the overridden allowed tags.
cvss_v3: 6.1
patched_versions:
- ">= 1.4.3"