CVE-2024-53989
Cross-site Scripting vulnerability in rails-html-sanitizer (RubyGems)
What is CVE-2024-53989 About?
This is a potential Cross-site Scripting (XSS) vulnerability in Rails::HTML::Sanitizer 1.6.0 under specific configurations. It allows an attacker to inject content if HTML5 sanitization is enabled and the 'noscript' element is explicitly allowed in the sanitizer's configuration. Exploitation requires careful configuration by the developer and malicious user input.
Affected Software
Technical Details
The vulnerability arises in Rails::HTML::Sanitizer version 1.6.0 when used with Rails >= 7.1.0 and configured to use HTML5 sanitization, specifically if the 'noscript' HTML element is explicitly allowed as a safe tag. The sanitization process fails to properly neutralize attacker-controlled content within the 'noscript' tag. An attacker can craft malicious input containing JavaScript within a 'noscript' tag, which, when processed by the vulnerable sanitizer configuration, will bypass the sanitization and be rendered by a victim's browser, leading to XSS. This bypass occurs because the sanitizer, under the specified conditions, does not apply adequate scrubbing to content within this specific allowed tag.
What is the Impact of CVE-2024-53989?
Successful exploitation may allow attackers to inject malicious scripts into web pages viewed by other users, potentially leading to session hijacking, data theft, defacement, or redirection to malicious sites.
What is the Exploitability of CVE-2024-53989?
Exploitation of this XSS vulnerability is contingent on highly specific configuration choices within the target Rails application, specifically enabling HTML5 sanitization and explicitly allowing the 'noscript' element in the sanitizer's allowed tags. This means the exploitation complexity is moderate to high, as it relies on developer misconfiguration rather than a flaw in the default setup. Authentication requirements depend on where the sanitized input is processed; if it's user-supplied content in a public-facing page, no authentication might be needed. Privilege requirements are low, as an attacker only needs to submit malicious input. This is a remote vulnerability, achievable by sending specially crafted web requests. The primary special condition is the overridden allowed_tags to include 'noscript'. Risk factors are increased if the application widely processes untrusted HTML and developers frequently customize sanitizer configurations.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-53989?
Available Upgrade Options
- rails-html-sanitizer
- >=1.6.0, <1.6.1 → Upgrade to 1.6.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/rails/rails-html-sanitizer/commit/16251735e36ebdc302e2f90f2a39cad56879414f
- https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-rxv5-gxqc-xx8g
- https://nvd.nist.gov/vuln/detail/CVE-2024-53989
- https://github.com/rails/rails-html-sanitizer/commit/16251735e36ebdc302e2f90f2a39cad56879414f
- https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-rxv5-gxqc-xx8g
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2024-53989.yml
- https://osv.dev/vulnerability/GHSA-rxv5-gxqc-xx8g
- https://github.com/rails/rails-html-sanitizer
What are Similar Vulnerabilities to CVE-2024-53989?
Similar Vulnerabilities: CVE-2022-23519 , CVE-2022-27777 , CVE-2021-22927 , CVE-2020-8166 , CVE-2018-8048
