SB2023050801 - Multiple vulnerabilities in rails-html-sanitizer for Ruby
Published: May 8, 2023
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Cross-site scripting (CVE-ID: CVE-2022-23520)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data with certain configurations of Rails::Html::Sanitizer. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
2) Cross-site scripting (CVE-ID: CVE-2022-23519)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data with certain configurations of Rails::Html::Sanitizer. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
3) Cross-site scripting (CVE-ID: CVE-2022-23518)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data passed via URLs when used in combination with Loofah. A remote attacker can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
4) Incorrect regular expression (CVE-ID: CVE-2022-23517)
The vulnerability allows a remote attacker to perform DoS attack.
The vulnerability exists due to usage of an incorrect regular expression to parse SVG attributes. A remote attacker can pass a specially crafted SVG image to the application and consume excessive CPU resources.
Remediation
Install update from vendor's website.
References
- https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-rrfc-7g8p-99q8
- https://hackerone.com/reports/1654310
- https://hackerone.com/reports/1656627
- https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-9h9g-93gc-623h
- https://hackerone.com/reports/1694173
- https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-mcvf-2q2m-x72m
- https://github.com/rails/rails-html-sanitizer/issues/135
- https://hackerone.com/reports/1684163
- https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-5x79-w82f-gw8w
- https://github.com/rails/rails-html-sanitizer/commit/56c61c0cebd1e493e8ad7bca2a0191609a4a6979