CVE-2022-23518
Cross-site scripting vulnerability in rails-html-sanitizer (RubyGems)
What is CVE-2022-23518 About?
This XSS vulnerability affects `rails-html-sanitizer` versions from 1.0.3 up to 1.4.3 when combined with Loofah >= 2.1.0, allowing attackers to inject scripts via data URIs. The vulnerability occurs due to insufficient sanitization of input containing data URIs that might bypass filtering. Exploitation is made relatively easy by crafting specific data URI payloads.
Affected Software
Technical Details
The vulnerability occurs in rails-html-sanitizer versions >= 1.0.3, < 1.4.4 when it is used in conjunction with Loofah versions >= 2.1.0. The core issue lies in the sanitization process's failure to properly handle data: URIs, especially when they contain HTML or SVG content that can execute JavaScript. Attackers can craft an input (e.g., an HTML attribute like src or href) that uses a data: URI which encodes malicious script. Due to the interaction between rails-html-sanitizer and Loofah, this data: URI, despite containing executable content, is not adequately neutralized. When this sanitized but still malicious output is rendered in a user's browser, the data: URI is interpreted, and the embedded script is executed, leading to a Cross-Site Scripting (XSS) attack.
What is the Impact of CVE-2022-23518?
Successful exploitation may allow attackers to inject arbitrary web scripts into user-controlled web pages, leading to session hijacking, defacement, sensitive data disclosure, or redirection to malicious sites.
What is the Exploitability of CVE-2022-23518?
Exploitation complexity is low to moderate. It requires the attacker to submit specific inputs containing crafted data: URIs to an application that uses the affected versions of rails-html-sanitizer and Loofah for HTML sanitization. No authentication or special privileges are typically required if the application allows unauthenticated users to submit HTML content (e.g., comments, forum posts). This is a remote vulnerability, as the attack is performed by sending malicious web input. There are no special constraints beyond the specific version dependencies. The risk of exploitation is higher in applications that accept and display user-generated HTML content without robust content security policies, or if the application's sanitization logic is explicitly configured to allow data: URIs in a way that can be abused.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-23518?
Available Upgrade Options
- rails-html-sanitizer
- >=1.0.3, <1.4.4 → Upgrade to 1.4.4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-mcvf-2q2m-x72m
- https://hackerone.com/reports/1694173
- https://lists.debian.org/debian-lts-announce/2023/09/msg00012.html
- https://nvd.nist.gov/vuln/detail/CVE-2022-23518
- https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-mcvf-2q2m-x72m
- https://hackerone.com/reports/1694173
- https://github.com/rails/rails-html-sanitizer
- https://lists.debian.org/debian-lts-announce/2023/09/msg00012.html
- https://lists.debian.org/debian-lts-announce/2024/09/msg00045.html
- https://lists.debian.org/debian-lts-announce/2024/09/msg00045.html
What are Similar Vulnerabilities to CVE-2022-23518?
Similar Vulnerabilities: CVE-2024-53985 , CVE-2020-8164 , CVE-2019-10741 , CVE-2018-3740 , CVE-2017-0941
