Cross-Site Scripting (XSS) Vulnerability in Rails::HTML::Sanitizer
CVE-2024-53985 Published on December 2, 2024
Possible XSS vulnerability with certain configurations of rails-html-sanitizer 1.6.0
rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. There is a possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer 1.6.0 when used with Rails >= 7.1.0 and Nokogiri < 1.15.7, or 1.16.x < 1.16.8. The XSS vulnerability with certain configurations of Rails::HTML::Sanitizer may allow an attacker to inject content if HTML5 sanitization is enabled and the application developer has overridden the sanitizer's allowed tags with both "math" and "style" elements or both both "svg" and "style" elements. This vulnerability is fixed in 1.6.1.
Weakness Type
What is a XSS Vulnerability?
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CVE-2024-53985 has been classified to as a XSS vulnerability or weakness.
Products Associated with CVE-2024-53985
Want to know whenever a new CVE is published for Ruby on Rails Rails Html Sanitizers? stack.watch will email you.
Affected Versions
rails-html-sanitizer Version >= 1.6.0, < 1.6.1 is affected by CVE-2024-53985Vulnerable Packages
The following package name and versions may be associated with CVE-2024-53985
| Package Manager | Vulnerable Package | Versions | Fixed In |
|---|---|---|---|
| rubygems | rails-html-sanitizer | = 1.6.0 | 1.6.1 |
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.