Ruby on Rails HTML Sanitizer XSS Vulnerability in HTML5 Configuration
CVE-2024-53987 Published on December 2, 2024
Possible XSS vulnerability with certain configurations of rails-html-sanitizer 1.6.0
rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. There is a possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer 1.6.0 when used with Rails >= 7.1.0. A possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer may allow an attacker to inject content if HTML5 sanitization is enabled and the application developer has overridden the sanitizer's allowed tags where the "style" element is explicitly allowed and the "svg" or "math" element is not allowed. This vulnerability is fixed in 1.6.1.
Weakness Type
What is a XSS Vulnerability?
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CVE-2024-53987 has been classified to as a XSS vulnerability or weakness.
Products Associated with CVE-2024-53987
Want to know whenever a new CVE is published for Ruby on Rails Rails Html Sanitizers? stack.watch will email you.
Affected Versions
rails-html-sanitizer Version >= 1.6.0, < 1.6.1 is affected by CVE-2024-53987Vulnerable Packages
The following package name and versions may be associated with CVE-2024-53987
| Package Manager | Vulnerable Package | Versions | Fixed In |
|---|---|---|---|
| rubygems | rails-html-sanitizer | = 1.6.0 | 1.6.1 |
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.