CVE-2024-53988
XSS vulnerability vulnerability in rails-html-sanitizer (RubyGems)
What is CVE-2024-53988 About?
This XSS vulnerability exists in Rails::HTML::Sanitizer 1.6.0 under specific configurations with Rails >= 7.1.0. It allows an attacker to inject content if certain HTML elements are explicitly allowed within the sanitizer's configuration. Exploitation requires specific overrides to the allowed tags, making it less straightforward but still impactful.
Affected Software
Technical Details
The vulnerability occurs when Rails::HTML::Sanitizer 1.6.0 is used with HTML5 sanitization enabled and the application developer has customized the allowed tags. Specifically, if the 'math', 'mtext', 'table', and 'style' elements are all allowed, AND either 'mglyph' or 'malignmark' are also allowed, an attacker can bypass the sanitization and inject malicious content. This bypass occurs because the combination of these specific tags creates a context where injected scripts or harmful attributes can be executed, despite the sanitization mechanism. The default configuration is generally safe, as it disallows most of these elements; the risk arises solely from explicit developer overrides through application configuration, Action View helper options, or direct class/instance attribute settings for Rails::HTML5::SafeListSanitizer or ActionText::ContentHelper.
What is the Impact of CVE-2024-53988?
Successful exploitation may allow attackers to inject malicious scripts into web pages, leading to defacement, session hijacking, or other client-side attacks.
What is the Exploitability of CVE-2024-53988?
Exploitation of this XSS vulnerability is of moderate complexity, requiring specific configuration overrides within the target application. Prerequisites include the use of Rails::HTML::Sanitizer 1.6.0 with Rails >= 7.1.0, HTML5 sanitization enabled, and the explicit allowance of a particular combination of 'math', 'mtext', 'table', 'style', and either 'mglyph' or 'malignmark' HTML elements. No specific authentication or privilege is required from the attacker's perspective, as the vulnerability lies in the server-side sanitization logic applied to user-supplied input. It's a remote vulnerability, exploiting how the server processes and sanitizes input. The likelihood of exploitation is increased if developers frequently customize allowed HTML tags without a deep understanding of potential XSS bypasses or if the application processes untrusted user-generated content.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-53988?
Available Upgrade Options
- rails-html-sanitizer
- >=1.6.0, <1.6.1 → Upgrade to 1.6.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/rails/rails-html-sanitizer/commit/a0a3e8b76b696446ffc6bffcff3bc7b7c6393c72
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2024-53988.yml
- https://osv.dev/vulnerability/GHSA-cfjx-w229-hgx5
- https://github.com/rails/rails-html-sanitizer
- https://github.com/rails/rails-html-sanitizer/commit/a0a3e8b76b696446ffc6bffcff3bc7b7c6393c72
- https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-cfjx-w229-hgx5
- https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-cfjx-w229-hgx5
- https://nvd.nist.gov/vuln/detail/CVE-2024-53988
What are Similar Vulnerabilities to CVE-2024-53988?
Similar Vulnerabilities: CVE-2023-26136 , CVE-2022-32209 , CVE-2021-22924 , CVE-2020-8164 , CVE-2018-8048
