CVE-2024-32464
6.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Action Text brings rich text content and editing to Rails. Instances of ActionText::Attachable::ContentAttachment included within a rich_text_area tag could potentially contain unsanitized HTML. This vulnerability is fixed in 7.1.3.4 and 7.2.0.beta2.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| rails | rails | >= 7.1.0, < 7.1.3.4 | affected |
| rails | rails | = 7.2.0.beta1 | affected |
Weaknesses
- CWE-80: CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
- CWE-79: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
CVE Program Container
Additional References
- https://github.com/rails/rails/security/advisories/GHSA-prjp-h48f-jgf6
- https://github.com/rails/rails/commit/e215bf3360e6dfe1497c1503a495e384ed6b0995
References
- https://github.com/rails/rails/security/advisories/GHSA-prjp-h48f-jgf6
- https://github.com/rails/rails/commit/e215bf3360e6dfe1497c1503a495e384ed6b0995
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.