CVE-2022-23520
XSS vulnerability vulnerability in rails-html-sanitizer (RubyGems)
What is CVE-2022-23520 About?
This vulnerability is a Cross-Site Scripting (XSS) flaw in Rails::Html::Sanitizer due to an incomplete fix for a previous XSS issue. It allows an attacker to inject content if the sanitizer's allowed tags include both "select" and "style" elements. Exploitation is difficult and requires specific developer-defined configurations.
Affected Software
Technical Details
The XSS vulnerability in Rails::Html::Sanitizer versions affected (ALL) arises from an incomplete fix for CVE-2022-32209. Specifically, if an application developer explicitly overrides the sanitizer's allowed tags to include both 'select' and 'style' elements, using either config.action_view.sanitized_allowed_tags or Rails::Html::SafeListSanitizer.allowed_tags=, malicious content can be injected. The sanitizer fails to properly escape or neutralize input containing XSS payloads within these specifically allowed tags, leading to the execution of arbitrary scripts in the client's browser when the sanitized output is rendered.
What is the Impact of CVE-2022-23520?
Successful exploitation may allow attackers to execute arbitrary scripts in the victim's browser, leading to session hijacking, defacement of web content, redirection to malicious sites, or unauthorized actions on behalf of the user.
What is the Exploitability of CVE-2022-23520?
Exploitation of this vulnerability has high complexity. It is highly dependent on a specific, non-default configuration where the application developer explicitly allows both 'select' and 'style' HTML elements to be sanitized. There are no authentication or privilege requirements to trigger the vulnerability itself, as it relies on input processing. It is a remote exploitation scenario, as an attacker would submit malicious data through a web interface. The crucial special condition is the misconfiguration by allowing both specific tags. Risk factors that increase exploitation likelihood include applications that have custom HTML sanitization rules that diverge from secure defaults and process untrusted user-supplied content.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-23520?
Available Upgrade Options
- rails-html-sanitizer
- <1.4.4 → Upgrade to 1.4.4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.debian.org/debian-lts-announce/2023/09/msg00012.html
- https://github.com/rails/rails-html-sanitizer
- https://hackerone.com/reports/1654310
- https://nvd.nist.gov/vuln/detail/CVE-2022-23520
- https://lists.debian.org/debian-lts-announce/2023/09/msg00012.html
- https://lists.debian.org/debian-lts-announce/2024/09/msg00045.html
- https://hackerone.com/reports/1654310
- https://lists.debian.org/debian-lts-announce/2024/09/msg00045.html
- https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-rrfc-7g8p-99q8
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2022-23520.yml
What are Similar Vulnerabilities to CVE-2022-23520?
Similar Vulnerabilities: CVE-2024-53986 , CVE-2022-32209 , CVE-2021-22926 , CVE-2020-8166 , CVE-2019-5418
