CVE-2024-53985
EPSS 2.2%rails-html-sanitize has XSS vulnerability with certain configurations
Description
## Summary There is a possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer 1.6.0 when used with Rails >= 7.1.0 and Nokogiri < 1.15.7, or 1.16.x < 1.16.8. * Versions affected: 1.6.0 * Not affected: < 1.6.0 * Fixed versions: 1.6.1 Please note that the fix in v1.6.1 is to update the dependency on Nokogiri to 1.15.7 or >= 1.16.8. ## Impact A possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer may allow an attacker to inject content if HTML5 sanitization is enabled and the application developer has overridden the sanitizer's allowed tags in either of the following ways: * allow both "math" and "style" elements * or allow both "svg" and "style" elements Code is only impacted if Rails is configured to use HTML5 sanitization, please see documentation for [`config.action_view.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-view-sanitizer-vendor) and [`config.action_text.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-text-sanitizer-vendor) for more information on these configuration options. Code is only impacted if allowed tags are being overridden. Applications may be doing this in a few different ways: 1. using application configuration to configure Action View sanitizers' allowed tags: ```ruby # In config/application.rb config.action_view.sanitized_allowed_tags = ["math", "style"] # or config.action_view.sanitized_allowed_tags = ["svg", "style"] ``` see https://guides.rubyonrails.org/configuring.html#configuring-action-view 2. using a `:tags` option to the Action View helper `sanitize`: ``` <%= sanitize @comment.body, tags: ["math", "style"] %> <%# or %> <%= sanitize @comment.body, tags: ["svg", "style"] %> ``` see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize 3. setting Rails::HTML5::SafeListSanitizer class attribute `allowed_tags`: ```ruby # class-level option Rails::HTML5::SafeListSanitizer.allowed_tags = ["math", "style"] # or Rails::HTML5::SafeListSanitizer.allowed_tags = ["svg", "style"] ``` (note that this class may also be referenced as `Rails::Html::SafeListSanitizer`) 4. using a `:tags` options to the Rails::HTML5::SafeListSanitizer instance method `sanitize`: ```ruby # instance-level option Rails::HTML5::SafeListSanitizer.new.sanitize(@article.body, tags: ["math", "style"]) # or Rails::HTML5::SafeListSanitizer.new.sanitize(@article.body, tags: ["svg", "style"]) ``` (note that this class may also be referenced as `Rails::Html::SafeListSanitizer`) 5. setting ActionText::ContentHelper module attribute `allowed_tags`: ```ruby ActionText::ContentHelper.allowed_tags = ["math", "style"] # or ActionText::ContentHelper.allowed_tags = ["svg", "style"] ``` All users overriding the allowed tags by any of the above mechanisms to include (("math" or "svg") and "style") should either upgrade or use one of the workarounds. ## Workarounds Any one of the following actions will work around this issue: - Remove "style" from the overridden allowed tags, - Or, remove "math" and "svg" from the overridden allowed tags, - Or, downgrade sanitization to HTML4 (see documentation for [`config.action_view.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-view-sanitizer-vendor) and [`config.action_text.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-text-sanitizer-vendor) for more information) - Or, independently upgrade Nokogiri to v1.15.7 or >= 1.16.8. ## References - [CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)](https://cwe.mitre.org/data/definitions/79.html) - Original report: https://hackerone.com/reports/2503220 ## Credit This vulnerability was responsibly reported by So Sakaguchi ([mokusou](https://hackerone.com/mokusou)) and [taise](https://hackerone.com/taise).
Affected packages (1)
- RubyGems/rails-html-sanitizer>= 1.6.0, < 1.6.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
References (6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-53985
- PATCHhttps://github.com/rails/rails-html-sanitizer
- WEBhttps://github.com/rails/rails-html-sanitizer/commit/b0220b8850d52199a15f83c472d175a4122dd7b1
- WEBhttps://github.com/rails/rails-html-sanitizer/commit/cd18b0ef00aad1d4a9e1c5d860cd23f80f63c505
- WEBhttps://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-w8gc-x259-rc7x
- WEBhttps://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2024-53985.yml