CVE-2022-23519
Cross-site Scripting vulnerability in rails-html-sanitizer (RubyGems)
What is CVE-2022-23519 About?
This is a possible Cross-site Scripting (XSS) vulnerability in Rails::Html::Sanitizer affecting all versions before 1.4.4. It occurs when specific combinations of 'math', 'svg', and 'style' elements are allowed in the sanitizer's configuration, enabling an attacker to inject content. Exploitation is moderately easy if the sanitizing configuration is misconfigured.
Affected Software
Technical Details
The vulnerability, CVE-2022-23519, exists in Rails::Html::Sanitizer across all versions prior to 1.4.4. It is triggered when the application developer explicitly overrides the sanitizer's allowed tags to include specific problematic combinations: either both 'math' and 'style' elements, or both 'svg' and 'style' elements. In these misconfigured scenarios, the sanitizer's internal logic for HTML escaping and neutralization fails to adequately process malicious content injected within these allowed tags. An attacker can craft input containing active content (e.g., JavaScript) that, when processed by the sanitize helper or SafeListSanitizer instance with the specified allowed tags, bypasses intended security controls and is rendered by the victim's browser, leading to XSS. The attack mechanism involves leveraging the sanitizer's incomplete handling of 'style' within 'math' or 'svg' contexts.
What is the Impact of CVE-2022-23519?
Successful exploitation may allow attackers to inject malicious scripts into web pages viewed by other users, leading to session hijacking, data theft, defacement, or redirection to malicious sites.
What is the Exploitability of CVE-2022-23519?
Exploitation of this vulnerability is conditional on the Rails application's Rails::Html::Sanitizer being specifically configured to allow both 'math'/'svg' and 'style' elements simultaneously. This represents a moderate complexity, as it relies on developer misconfiguration. No authentication or specific privileges are required beyond the ability to submit content that will be sanitized by the vulnerable component. This is a remote vulnerability, achieved by sending specially crafted web requests containing the malicious payload. The critical special condition is the explicit overriding of sanitized_allowed_tags to include the problematic element combinations. Risk is increased in applications that frequently process untrusted HTML and customize sanitization rules without rigorous security review.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-23519?
Available Upgrade Options
- rails-html-sanitizer
- <1.4.4 → Upgrade to 1.4.4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://hackerone.com/reports/1656627
- https://hackerone.com/reports/1656627
- https://lists.debian.org/debian-lts-announce/2023/09/msg00012.html
- https://lists.debian.org/debian-lts-announce/2023/09/msg00012.html
- https://nvd.nist.gov/vuln/detail/CVE-2022-23519
- https://lists.debian.org/debian-lts-announce/2024/09/msg00045.html
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2022-23519.yml
- https://lists.debian.org/debian-lts-announce/2024/09/msg00045.html
- https://osv.dev/vulnerability/GHSA-9h9g-93gc-623h
- https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-9h9g-93gc-623h
What are Similar Vulnerabilities to CVE-2022-23519?
Similar Vulnerabilities: CVE-2024-53989 , CVE-2022-27777 , CVE-2021-22927 , CVE-2020-8166 , CVE-2018-8048
