CVE-2024-53985
XSS vulnerability vulnerability in rails-html-sanitizer (RubyGems)
What is CVE-2024-53985 About?
This XSS vulnerability exists in Rails::HTML::Sanitizer 1.6.0 when used with specific Rails and Nokogiri versions, allowing attackers to inject content. It occurs under particular HTML5 sanitization configurations where 'math'/'svg' and 'style' elements are both allowed. Exploitation is contingent on these specific configuration overrides.
Affected Software
Technical Details
The vulnerability arises in Rails::HTML::Sanitizer version 1.6.0, affecting Rails >= 7.1.0 and Nokogiri < 1.15.7 or 1.16.x < 1.16.8. When Rails is configured to use HTML5 sanitization (config.action_view.sanitizer_vendor or config.action_text.sanitizer_vendor) and the application developer explicitly overrides the sanitizer's allowed tags to include both 'math' (or 'svg') and 'style' elements, an attacker can bypass the sanitization. This allows for injection of malicious content, likely through the combination of allowed SVG/MathML elements and inline styles, leading to Cross-Site Scripting (XSS). The vulnerability specifically indicates that the interaction between these allowed tags, within the context of specific Nokogiri versions, creates a bypass where the sanitizer fails to neutralize the malicious input effectively.
What is the Impact of CVE-2024-53985?
Successful exploitation may allow attackers to inject arbitrary web scripts into user-controlled web pages, leading to session hijacking, defacement, sensitive data disclosure, or redirection to malicious sites.
What is the Exploitability of CVE-2024-53985?
Exploitation complexity is moderate, as it requires specific environmental prerequisites in addition to attacker input. The key conditions are: Rails >= 7.1.0, an affected Nokogiri version (< 1.15.7 or 1.16.x < 1.16.8), and most importantly, the application must be configured to use HTML5 sanitization where both 'math'/'svg' and 'style' elements are allowed. This configuration could be set globally or on a per-sanitization call basis. No authentication is typically required if the attacker can submit content that is subject to sanitization (e.g., forum posts, comments). Privilege requirements are standard user capabilities to input text. This is a remote vulnerability, as it involves crafting and submitting malicious HTML content. Risk factors are significantly increased in applications that extensively customize their HTML sanitization rules to include these specific tag combinations, believing them to be safe.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-53985?
Available Upgrade Options
- rails-html-sanitizer
- >=1.6.0, <1.6.1 → Upgrade to 1.6.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-w8gc-x259-rc7x
- https://github.com/rails/rails-html-sanitizer/commit/cd18b0ef00aad1d4a9e1c5d860cd23f80f63c505
- https://github.com/rails/rails-html-sanitizer/commit/b0220b8850d52199a15f83c472d175a4122dd7b1
- https://github.com/rails/rails-html-sanitizer/commit/cd18b0ef00aad1d4a9e1c5d860cd23f80f63c505
- https://github.com/rails/rails-html-sanitizer/commit/b0220b8850d52199a15f83c472d175a4122dd7b1
- https://nvd.nist.gov/vuln/detail/CVE-2024-53985
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2024-53985.yml
- https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-w8gc-x259-rc7x
- https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-w8gc-x259-rc7x
- https://github.com/rails/rails-html-sanitizer
What are Similar Vulnerabilities to CVE-2024-53985?
Similar Vulnerabilities: CVE-2022-23518 , CVE-2020-8164 , CVE-2019-10741 , CVE-2018-3740 , CVE-2017-0941
