CVE-2024-21636

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-21636
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-21636.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-21636
Aliases
Published
2024-01-04T20:09:08.564Z
Modified
2025-11-30T06:51:11.269946Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
view_component Cross-site Scripting vulnerability
Details

viewcomponent is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. Versions prior to 3.9.0 and 2.83.0 have a cross-site scripting vulnerability that has the potential to impact anyone rendering a component directly from a controller with the viewcomponent gem. Note that only components that define a #call method (i.e. instead of using a sidecar template) are affected. The return value of the #call method is not sanitized and can include user-defined content. In addition, the return value of the #output_postamble methodis not sanitized, which can also lead to cross-site scripting issues. Versions 3.9.0 and 2.83.0 have been released and fully mitigate both the #call and the #output_postamble vulnerabilities. As a workaround, sanitize the return value of #call.

Database specific 
{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/21xxx/CVE-2024-21636.json",
    "cwe_ids": [
        "CWE-79"
    ]
}
References

Affected packages

Git / github.com/viewcomponent/view_component

Affected ranges

Type
GIT
Repo
https://github.com/viewcomponent/view_component
Events
Introduced
c696930250b696fb5528be08edea13a0c78b8325
Fixed
c8462c2113ca1771b681fc89eb025d8e8b685727
Database specific 
{
    "versions": [
        {
            "introduced": "3.0.0"
        },
        {
            "fixed": "3.9.0"
        }
    ]
}
Type
GIT
Repo
https://github.com/viewcomponent/view_component
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
ab407af583fe9221931431ef3d575850b9e88008
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.83.0"
        }
    ]
}

Affected versions

v3.*

v3.0.0
v3.1.0
v3.2.0
v3.3.0
v3.5.0
v3.6.0
v3.7.0
v3.8.0