RubySec

Providing security resources for the Ruby community

CVE-2022-23518 (rails-html-sanitizer): Improper neutralization of data URIs may allow XSS in rails-html-sanitizer

ADVISORIES

GEM

rails-html-sanitizer

SEVERITY

CVSS v3.x: 6.1 (Medium)

UNAFFECTED VERSIONS

  • < 1.0.3

PATCHED VERSIONS

  • >= 1.4.4

DESCRIPTION

Summary

rails-html-sanitizer &gt;= 1.0.3, &lt; 1.4.4 is vulnerable to cross-site scripting via data URIs when used in combination with Loofah &gt;= 2.1.0.

Mitigation

Upgrade to rails-html-sanitizer &gt;= 1.4.4.

RELATED