Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1jaDNoLWoydmYtOTVwds1BUQ
XSS Vulnerability in Action View tag helpers
There is a possible XSS vulnerability in Action View tag helpers. Passing untrusted input as hash keys can lead to a possible XSS vulnerability. This vulnerability has been assigned the CVE identifier CVE-2022-27777.
Versions Affected: ALL
Not affected: NONE
Fixed Versions: 7.0.2.4, 6.1.5.1, 6.0.4.8, 5.2.7.1
Impact
If untrusted data is passed as the hash key for tag attributes, there is a possibility that the untrusted data may not be properly escaped which can lead to an XSS vulnerability.
Impacted code will look something like this:
check_box_tag('thename', 'thevalue', false, aria: { malicious_input => 'thevalueofaria' })
Where the "malicious_input" variable contains untrusted data.
All users running an affected release should either upgrade or use one of the workarounds immediately.
Releases
The FIXED releases are available at the normal locations.
Workarounds
Escape the untrusted data before using it as a key for tag helper methods.
Permalink: https://github.com/advisories/GHSA-ch3h-j2vf-95pvJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jaDNoLWoydmYtOTVwds1BUQ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: 11 months ago
CVSS Score: 6.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-ch3h-j2vf-95pv, CVE-2022-27777
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-27777
- https://github.com/rails/rails/commit/649516ce0feb699ae06a8c5e81df75d460cc9a85
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2022-27777.yml
- https://groups.google.com/g/ruby-security-ann/c/9wJPEDv-iRw
- https://rubyonrails.org/2022/4/26/Rails-7-0-2-4-6-1-5-1-6-0-4-8-and-5-2-7-1-have-been-released
- https://discuss.rubyonrails.org/t/cve-2022-27777-possible-xss-vulnerability-in-action-view-tag-helpers/80534
- https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html
- https://www.debian.org/security/2023/dsa-5372
- https://github.com/advisories/GHSA-ch3h-j2vf-95pv
Blast Radius: 35.3
Affected Packages
rubygems:actionview
Dependent packages: 354Dependent repositories: 601,072
Downloads: 477,673,908 total
Affected Version Ranges: >= 7.0.0, <= 7.0.2.3, >= 6.1.0, <= 6.1.5.0, >= 6.0.0, <= 6.0.4.7, <= 5.2.7.0
Fixed in: 7.0.2.4, 6.1.5.1, 6.0.4.8, 5.2.7.1
All affected versions: 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.1.5, 4.1.6, 4.1.7, 4.1.8, 4.1.9, 4.1.10, 4.1.11, 4.1.12, 4.1.13, 4.1.14, 4.1.15, 4.1.16, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.2.4, 4.2.5, 4.2.6, 4.2.7, 4.2.8, 4.2.9, 4.2.10, 4.2.11, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.1.0, 5.1.1, 5.1.2, 5.1.3, 5.1.4, 5.1.5, 5.1.6, 5.1.7, 5.2.0, 5.2.1, 5.2.2, 5.2.3, 5.2.4, 5.2.5, 5.2.6, 5.2.7, 5.2.8, 6.0.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.1.0, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.1.0, 7.1.1, 7.1.2, 7.1.3
All unaffected versions: