-
-
Notifications
You must be signed in to change notification settings - Fork 220
/
CVE-2022-23519.yml
76 lines (57 loc) · 2.54 KB
/
CVE-2022-23519.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
---
gem: rails-html-sanitizer
cve: 2022-23519
ghsa: 9h9g-93gc-623h
url: https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-9h9g-93gc-623h
title: Possible XSS vulnerability with certain configurations of rails-html-sanitizer
date: 2022-12-13
description: |
## Summary
There is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.
- Versions affected: ALL
- Not affected: NONE
- Fixed versions: 1.4.4
## Impact
A possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer may allow an attacker to inject content if the application developer has overridden the sanitizer's allowed tags in either of the following ways:
- allow both "math" and "style" elements,
- or allow both "svg" and "style" elements
Code is only impacted if allowed tags are being overridden. Applications may be doing this in four different ways:
1. using application configuration:
```ruby
# In config/application.rb
config.action_view.sanitized_allowed_tags = ["math", "style"]
# or
config.action_view.sanitized_allowed_tags = ["svg", "style"]
```
see https://guides.rubyonrails.org/configuring.html#configuring-action-view
2. using a `:tags` option to the Action View helper `sanitize`:
```
<%= sanitize @comment.body, tags: ["math", "style"] %>
<%# or %>
<%= sanitize @comment.body, tags: ["svg", "style"] %>
```
see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize
3. using Rails::Html::SafeListSanitizer class method `allowed_tags=`:
```ruby
# class-level option
Rails::Html::SafeListSanitizer.allowed_tags = ["math", "style"]
# or
Rails::Html::SafeListSanitizer.allowed_tags = ["svg", "style"]
```
4. using a `:tags` options to the Rails::Html::SafeListSanitizer instance method `sanitize`:
```ruby
# instance-level option
Rails::Html::SafeListSanitizer.new.sanitize(@article.body, tags: ["math", "style"])
# or
Rails::Html::SafeListSanitizer.new.sanitize(@article.body, tags: ["svg", "style"])
```
All users overriding the allowed tags by any of the above mechanisms to include (("math" or "svg") and "style") should either upgrade or use one of the workarounds immediately.
## Workarounds
Remove "style" from the overridden allowed tags, or remove "math" and "svg" from the overridden allowed tags.
cvss_v3: 6.1
patched_versions:
- ">= 1.4.4"
related:
url:
- https://cwe.mitre.org/data/definitions/79.html
- https://hackerone.com/reports/1656627