Ruby on Rails HTML Sanitizer XSS Vulnerability in HTML5 Sanitization
CVE-2024-53986 Published on December 2, 2024
rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. There is a possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer 1.6.0 when used with Rails >= 7.1.0. A possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer may allow an attacker to inject content if HTML5 sanitization is enabled and the application developer has overridden the sanitizer's allowed tags where the "math" and "style" elements are both explicitly allowed. This vulnerability is fixed in 1.6.1.
Weakness Type
What is a XSS Vulnerability?
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CVE-2024-53986 has been classified to as a XSS vulnerability or weakness.
Products Associated with CVE-2024-53986
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2024-53986 are published in Ruby on Rails Rails Html Sanitizers:
Affected Versions
rails-html-sanitizer Version >= 1.6.0, < 1.6.1 is affected by CVE-2024-53986Vulnerable Packages
The following package name and versions may be associated with CVE-2024-53986
| Package Manager | Vulnerable Package | Versions | Fixed In |
|---|---|---|---|
| rubygems | rails-html-sanitizer | = 1.6.0 | 1.6.1 |
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.