Lucene search

GitHub Advisory DatabaseGHSA-9H9G-93GC-623H

HistoryDec 13, 2022 - 5:50 p.m.

Possible XSS vulnerability with certain configurations of rails-html-sanitizer

2022-12-1317:50:25

CWE-79

GitHub Advisory Database

github.com

xss vulnerability

rails::html::sanitizer

all versions

fixed version 1.4.4

attacker injection

allowed tags override

application configuration

action view helper

safelistsanitizer

allowed tags

workarounds

cwe-79

dominic breuker

CVSS3

7.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

44.1%

JSON

Summary

There is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.

Versions affected: ALL
Not affected: NONE
Fixed versions: 1.4.4

Impact

A possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer may allow an attacker to inject content if the application developer has overridden the sanitizer’s allowed tags in either of the following ways:

allow both “math” and “style” elements,
or allow both “svg” and “style” elements

Code is only impacted if allowed tags are being overridden. Applications may be doing this in four different ways:

using application configuration:

# In config/application.rb
config.action_view.sanitized_allowed_tags = ["math", "style"]
# or
config.action_view.sanitized_allowed_tags = ["svg", "style"]

see https://guides.rubyonrails.org/configuring.html#configuring-action-view

using a :tags option to the Action View helper sanitize:

&lt;%= sanitize @comment.body, tags: ["math", "style"] %&gt;
&lt;%# or %&gt;
&lt;%= sanitize @comment.body, tags: ["svg", "style"] %&gt;

see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize

using Rails::Html::SafeListSanitizer class method allowed_tags=:

# class-level option
Rails::Html::SafeListSanitizer.allowed_tags = ["math", "style"]
# or
Rails::Html::SafeListSanitizer.allowed_tags = ["svg", "style"]

using a :tags options to the Rails::Html::SafeListSanitizer instance method sanitize:

# instance-level option
Rails::Html::SafeListSanitizer.new.sanitize(@article.body, tags: ["math", "style"])
# or
Rails::Html::SafeListSanitizer.new.sanitize(@article.body, tags: ["svg", "style"])

All users overriding the allowed tags by any of the above mechanisms to include ((“math” or “svg”) and “style”) should either upgrade or use one of the workarounds immediately.

Workarounds

Remove “style” from the overridden allowed tags, or remove “math” and “svg” from the overridden allowed tags.

References

Credit

This vulnerability was responsibly reported by Dominic Breuker.

Affected configurations

Vulners

Node

typo3html_sanitizerRange<1.4.4

VendorProductVersionCPE
typo3html_sanitizer*cpe:2.3:a:typo3:html_sanitizer:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
typo3	html_sanitizer	*	cpe:2.3:a:typo3:html_sanitizer::::::::

References

github.com/advisories/GHSA-9h9g-93gc-623h

github.com/rails/rails-html-sanitizer/security/advisories/GHSA-9h9g-93gc-623h

github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2022-23519.yml

hackerone.com/reports/1656627

lists.debian.org/debian-lts-announce/2023/09/msg00012.html

nvd.nist.gov/vuln/detail/CVE-2022-23519

CVSS3

7.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

44.1%

JSON

Related for GHSA-9H9G-93GC-623H