Lucene search

PRIOn knowledge basePRION:CVE-2022-23518

HistoryDec 14, 2022 - 5:15 p.m.

Cross site scripting

2022-12-1417:15:00

PRIOn knowledge base

www.prio-n.com

rails-html-sanitizer

cross-site scripting

data uris

loofah

vulnerability

patch

nvd

5.8 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

43.6%

JSON

rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. Versions >= 1.0.3, < 1.4.4 are vulnerable to cross-site scripting via data URIs when used in combination with Loofah >= 2.1.0. This issue is patched in version 1.4.4.

CPENameOperatorVersion
debian_linuxeq10.0
loofahge2.1.0
loofahlt2.19.1
rails_html_sanitizersge1.0.3
rails_html_sanitizerslt1.4.4

Name	Operator	Version
debian_linux	eq	10.0
loofah	ge	2.1.0
loofah	lt	2.19.1
rails_html_sanitizers	ge	1.0.3
rails_html_sanitizers	lt	1.4.4

References

github.com/rails/rails-html-sanitizer/issues/135

github.com/rails/rails-html-sanitizer/security/advisories/GHSA-mcvf-2q2m-x72m

hackerone.com/reports/1694173

lists.debian.org/debian-lts-announce/2023/09/msg00012.html