GHSA-ch3h-j2vf-95pv

Source

https://github.com/advisories/GHSA-ch3h-j2vf-95pv

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-ch3h-j2vf-95pv/GHSA-ch3h-j2vf-95pv.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-ch3h-j2vf-95pv

Aliases

CVE-2022-27777

Published

2022-04-27T22:32:49Z

Modified

2023-11-01T05:30:43.602837Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

XSS Vulnerability in Action View tag helpers

Details

There is a possible XSS vulnerability in Action View tag helpers. Passing untrusted input as hash keys can lead to a possible XSS vulnerability. This vulnerability has been assigned the CVE identifier CVE-2022-27777.

Versions Affected: ALL Not affected: NONE Fixed Versions: 7.0.2.4, 6.1.5.1, 6.0.4.8, 5.2.7.1

Impact

If untrusted data is passed as the hash key for tag attributes, there is a possibility that the untrusted data may not be properly escaped which can lead to an XSS vulnerability.

Impacted code will look something like this:

check_box_tag('thename', 'thevalue', false, aria: { malicious_input => 'thevalueofaria' })

Where the "malicious_input" variable contains untrusted data.

All users running an affected release should either upgrade or use one of the workarounds immediately.

Releases

The FIXED releases are available at the normal locations.

Workarounds

Escape the untrusted data before using it as a key for tag helper methods.

References

Affected packages

RubyGems / actionview

Package

Name: actionview
Purl: pkg:gem/actionview

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.2.7.1

Affected versions

4.*

4.1.0.beta1

4.1.0.beta2

4.1.0.rc1

4.1.0.rc2

4.1.0

4.1.1

4.1.2.rc1

4.1.2.rc2

4.1.2.rc3

4.1.2

4.1.3

4.1.4

4.1.5

4.1.6.rc1

4.1.6.rc2

4.1.6

4.1.7

4.1.7.1

4.1.8

4.1.9.rc1

4.1.9

4.1.10.rc1

4.1.10.rc2

4.1.10.rc3

4.1.10.rc4

4.1.10

4.1.11

4.1.12.rc1

4.1.12

4.1.13.rc1

4.1.13

4.1.14.rc1

4.1.14.rc2

4.1.14

4.1.14.1

4.1.14.2

4.1.15.rc1

4.1.15

4.1.16.rc1

4.1.16

4.2.0.beta1

4.2.0.beta2

4.2.0.beta3

4.2.0.beta4

4.2.0.rc1

4.2.0.rc2

4.2.0.rc3

4.2.0

4.2.1.rc1

4.2.1.rc2

4.2.1.rc3

4.2.1.rc4

4.2.1

4.2.2

4.2.3.rc1

4.2.3

4.2.4.rc1

4.2.4

4.2.5.rc1

4.2.5.rc2

4.2.5

4.2.5.1

4.2.5.2

4.2.6.rc1

4.2.6

4.2.7.rc1

4.2.7

4.2.7.1

4.2.8.rc1

4.2.8

4.2.9.rc1

4.2.9.rc2

4.2.9

4.2.10.rc1

4.2.10

4.2.11

4.2.11.1

4.2.11.2

4.2.11.3

5.*

5.0.0.beta1

5.0.0.beta1.1

5.0.0.beta2

5.0.0.beta3

5.0.0.beta4

5.0.0.racecar1

5.0.0.rc1

5.0.0.rc2

5.0.0

5.0.0.1

5.0.1.rc1

5.0.1.rc2

5.0.1

5.0.2.rc1

5.0.2

5.0.3

5.0.4.rc1

5.0.4

5.0.5.rc1

5.0.5.rc2

5.0.5

5.0.6.rc1

5.0.6

5.0.7

5.0.7.1

5.0.7.2

5.1.0.beta1

5.1.0.rc1

5.1.0.rc2

5.1.0

5.1.1

5.1.2.rc1

5.1.2

5.1.3.rc1

5.1.3.rc2

5.1.3.rc3

5.1.3

5.1.4.rc1

5.1.4

5.1.5.rc1

5.1.5

5.1.6

5.1.6.1

5.1.6.2

5.1.7.rc1

5.1.7

5.2.0.beta1

5.2.0.beta2

5.2.0.rc1

5.2.0.rc2

5.2.0

5.2.1.rc1

5.2.1

5.2.1.1

5.2.2.rc1

5.2.2

5.2.2.1

5.2.3.rc1

5.2.3

5.2.4.rc1

5.2.4

5.2.4.1

5.2.4.2

5.2.4.3

5.2.4.4

5.2.4.5

5.2.4.6

5.2.5

5.2.6

5.2.6.1

5.2.6.2

5.2.6.3

5.2.7

Database specific

{
    "last_known_affected_version_range": "<= 5.2.7.0"
}

RubyGems / actionview

Package

Name: actionview
Purl: pkg:gem/actionview

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.0.0

Fixed

6.0.4.8

Affected versions

6.*

6.0.0

6.0.1.rc1

6.0.1

6.0.2.rc1

6.0.2.rc2

6.0.2

6.0.2.1

6.0.2.2

6.0.3.rc1

6.0.3

6.0.3.1

6.0.3.2

6.0.3.3

6.0.3.4

6.0.3.5

6.0.3.6

6.0.3.7

6.0.4

6.0.4.1

6.0.4.2

6.0.4.3

6.0.4.4

6.0.4.5

6.0.4.6

6.0.4.7

Database specific

{
    "last_known_affected_version_range": "<= 6.0.4.7"
}

RubyGems / actionview

Package

Name: actionview
Purl: pkg:gem/actionview

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.1.0

Fixed

6.1.5.1

Affected versions

6.*

6.1.0

6.1.1

6.1.2

6.1.2.1

6.1.3

6.1.3.1

6.1.3.2

6.1.4

6.1.4.1

6.1.4.2

6.1.4.3

6.1.4.4

6.1.4.5

6.1.4.6

6.1.4.7

6.1.5

Database specific

{
    "last_known_affected_version_range": "<= 6.1.5.0"
}

RubyGems / actionview

Package

Name: actionview
Purl: pkg:gem/actionview

Affected ranges

Type: ECOSYSTEM
Events: Introduced

7.0.0

Fixed

7.0.2.4

Affected versions

7.*

7.0.0

7.0.1

7.0.2

7.0.2.1

7.0.2.2

7.0.2.3

Database specific

{
    "last_known_affected_version_range": "<= 7.0.2.3"
}