CVE-2022-23519

CVSS V2 None CVSS V3 None
Description
rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. Prior to version 1.4.4, a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer may allow an attacker to inject content if the application developer has overridden the sanitizer's allowed tags in either of the following ways: allow both "math" and "style" elements, or allow both "svg" and "style" elements. Code is only impacted if allowed tags are being overridden. . This issue is fixed in version 1.4.4. All users overriding the allowed tags to include "math" or "svg" and "style" should either upgrade or use the following workaround immediately: Remove "style" from the overridden allowed tags, or remove "math" and "svg" from the overridden allowed tags.
Overview
  • CVE ID
  • CVE-2022-23519
  • Assigner
  • security-advisories@github.com
  • Vulnerability Status
  • Analyzed
  • Published Version
  • 2022-12-14T17:15:11
  • Last Modified Date
  • 2022-12-16T21:48:41
CPE Configuration (Product)
CPE Vulnerable Operator Version Start Version End
cpe:2.3:a:rails_html_sanitizer_project:rails_html_sanitizer:*:*:*:*:*:ruby:*:* 1 OR 1.4.4
History
Created Old Value New Value Data Type Notes
2022-12-14 18:15:35 Added to TrackCVE
2022-12-14 19:16:27 2022-12-14T17:15:11.067 2022-12-14T17:15:11 CVE Published Date updated
2022-12-14 19:16:27 2022-12-14T19:14:44 CVE Modified Date updated
2022-12-14 19:16:27 Received Awaiting Analysis Vulnerability Status updated
2022-12-18 04:35:33 2022-12-16T21:48:41 CVE Modified Date updated
2022-12-18 04:35:33 Awaiting Analysis Analyzed Vulnerability Status updated
2022-12-18 04:35:41 CPE Information updated