CVE-2022-32209
XSS vulnerability in rails-html-sanitizer (RubyGems)
What is CVE-2022-32209 About?
Versions of Rails::Html::Sanitizer prior to 1.4.3 are vulnerable to XSS under specific configurations. This allows an attacker to inject content if the sanitizer's allowed tags include both 'select' and 'style' elements. Exploitation is possible through crafted input when the application explicitly overrides default allowed tags.
Affected Software
Technical Details
This XSS vulnerability affects Rails::Html::Sanitizer versions prior to 1.4.3. It arises when an application explicitly overrides the default allowed HTML tags to include both <select> and <style> elements within the sanitizer's configuration. This override can occur via config.action_view.sanitized_allowed_tags, the :tags option in the sanitize helper, or direct modification of Rails::Html::SafeListSanitizer.allowed_tags or an instance's :tags option. The combination of these specific tags creates an DOM-based XSS bypass, allowing an attacker to craft input that, once sanitized and rendered, executes malicious JavaScript code within the victim's browser. The sanitizer fails to properly neutralize the attack vector created by the interplay of these allowed elements.
What is the Impact of CVE-2022-32209?
Successful exploitation may allow attackers to inject malicious scripts into web pages, leading to defacement, session hijacking, or other client-side attacks.
What is the Exploitability of CVE-2022-32209?
Exploitation of this XSS vulnerability is of moderate complexity, as it relies on specific, non-default configurations within the target application. Prerequisites include a vulnerable version of Rails::Html::Sanitizer (prior to 1.4.3) and the explicit allowance of both 'select' and 'style' tags via application configuration or sanitization helper options. No specific authentication or privilege is required for the attacker, as the vulnerability is triggered by the processing of untrusted user-supplied input. It's a remote vulnerability, exploiting how the server processes and sanitizes input. The likelihood of exploitation is increased if developers frequently customize allowed HTML tags, handle untrusted user-generated content, or are unaware of the specific interaction between 'select' and 'style' tags leading to XSS.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-32209?
Available Upgrade Options
- rails-html-sanitizer
- <1.4.3 → Upgrade to 1.4.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/rails/rails-html-sanitizer/commit/45a5c10fed3d9aa141594c80afa06d748fa0967d
- https://github.com/rails/rails-html-sanitizer
- https://groups.google.com/g/rubyonrails-security/c/ce9PhUANQ6s
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2022-32209.yml
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NHDACMCLWE32BZZTSNWQPIFUAD5I6Q47
- https://hackerone.com/reports/1530898
- https://lists.debian.org/debian-lts-announce/2024/09/msg00045.html
- https://lists.debian.org/debian-lts-announce/2022/12/msg00012.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AGRLWBEB3S5AU3D4TTROIS7O6QPHDTRH/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NHDACMCLWE32BZZTSNWQPIFUAD5I6Q47
What are Similar Vulnerabilities to CVE-2022-32209?
Similar Vulnerabilities: CVE-2024-53988 , CVE-2023-26136 , CVE-2021-22924 , CVE-2020-8164 , CVE-2018-8048
