CVE-2024-53986
XSS vulnerability vulnerability in rails-html-sanitizer (RubyGems)
What is CVE-2024-53986 About?
This vulnerability is a Cross-Site Scripting (XSS) flaw in Rails::HTML::Sanitizer 1.6.0 when specific configurations are used with Rails >= 7.1.0. It allows an attacker to inject malicious content into web pages, which can lead to data theft or defacement. Exploitation requires specific developer configurations and is moderately complex.
Affected Software
Technical Details
The XSS vulnerability arises in Rails::HTML::Sanitizer 1.6.0 when HTML5 sanitization is enabled and the application explicitly allows both the 'math' and 'style' HTML elements to be sanitized. If an application developer overrides the default allowed tags to include both 'math' and 'style' elements through mechanisms like config.action_view.sanitized_allowed_tags, the sanitize helper with a :tags option, or directly setting Rails::HTML5::SafeListSanitizer.allowed_tags, an attacker can craft malicious input containing XSS payloads within these allowed tags. The sanitizer fails to properly neutralize the input, leading to the injection of arbitrary scripts or content into the rendered HTML.
What is the Impact of CVE-2024-53986?
Successful exploitation may allow attackers to execute arbitrary scripts in the victim's browser, leading to session hijacking, defacement of web content, redirection to malicious sites, or unauthorized actions on behalf of the user.
What is the Exploitability of CVE-2024-53986?
Exploitation of this vulnerability has a moderate complexity level, as it requires specific non-default configurations by the application developer, where both 'math' and 'style' elements are explicitly allowed in the HTML sanitizer. There are no direct authentication or privilege requirements to trigger the vulnerability itself, as it relies on an application processing user-supplied input. It is a remote exploitation scenario, as an attacker would generally provide malicious input through a web interface. The primary condition is the misconfiguration of the Rails::HTML::Sanitizer. Risk factors that increase exploitation likelihood include applications that extensively process and display user-provided HTML content and administrators who have customized sanitizer configurations without fully understanding the security implications.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-53986?
Available Upgrade Options
- rails-html-sanitizer
- >=1.6.0, <1.6.1 → Upgrade to 1.6.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-638j-pmjw-jq48
- https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-638j-pmjw-jq48
- https://github.com/rails/rails-html-sanitizer/commit/f02ffbb8465e73920b6de0da940f5530f855965e
- https://github.com/rails/rails-html-sanitizer/commit/f02ffbb8465e73920b6de0da940f5530f855965e
- https://osv.dev/vulnerability/GHSA-638j-pmjw-jq48
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2024-53986.yml
- https://nvd.nist.gov/vuln/detail/CVE-2024-53986
- https://github.com/rails/rails-html-sanitizer
What are Similar Vulnerabilities to CVE-2024-53986?
Similar Vulnerabilities: CVE-2022-23520 , CVE-2022-32209 , CVE-2021-22926 , CVE-2020-8166 , CVE-2019-5418
