CVE-2022-32209: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

June 25, 2022 (updated July 5, 2022)

There is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer. Rails::Html::Sanitizer may allow an attacker to inject content if the application developer has overridden the sanitizer’s allowed tags to allow both select and style elements. Code is only impacted if allowed tags are being overridden.

References

github.com/advisories/GHSA-pg8v-g4xq-hww9
github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2022-32209.yml
groups.google.com/g/rubyonrails-security/c/ce9PhUANQ6s
hackerone.com/reports/1530898
nvd.nist.gov/vuln/detail/CVE-2022-32209

Detect and mitigate CVE-2022-32209 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →