Cross-Site Scripting (XSS) Vulnerability in Rails::HTML::Sanitizer
CVE-2024-53985 Published on December 2, 2024
rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. There is a possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer 1.6.0 when used with Rails >= 7.1.0 and Nokogiri < 1.15.7, or 1.16.x < 1.16.8. The XSS vulnerability with certain configurations of Rails::HTML::Sanitizer may allow an attacker to inject content if HTML5 sanitization is enabled and the application developer has overridden the sanitizer's allowed tags with both "math" and "style" elements or both both "svg" and "style" elements. This vulnerability is fixed in 1.6.1.
Weakness Type
What is a XSS Vulnerability?
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CVE-2024-53985 has been classified to as a XSS vulnerability or weakness.
Products Associated with CVE-2024-53985
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2024-53985 are published in Ruby on Rails Rails Html Sanitizers:
Affected Versions
rails-html-sanitizer Version >= 1.6.0, < 1.6.1 is affected by CVE-2024-53985Vulnerable Packages
The following package name and versions may be associated with CVE-2024-53985
| Package Manager | Vulnerable Package | Versions | Fixed In |
|---|---|---|---|
| rubygems | rails-html-sanitizer | = 1.6.0 | 1.6.1 |
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.