# Possible XSS Vulnerability in Rails::Html::SanitizerThere is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.This vulnerability has been assigned the CVE identifier CVE-2022-32209.Versions Affected: ALLNot affected: NONEFixed Versions: v1.4.3## ImpactA possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer may allow an attacker to inject content if the application developer has overridden the sanitizer's allowed tags to allow both `select` and `style` elements.Code is only impacted if allowed tags are being overridden. This may be done via application configuration:```ruby# In config/application.rbconfig.action_view.sanitized_allowed_tags = ["select", "style"]```see https://guides.rubyonrails.org/configuring.html#configuring-action-viewOr it may be done with a `:tags` option to the Action View helper `sanitize`:```<%= sanitize @comment.body, tags: ["select", "style"] %>```see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitizeOr it may be done with Rails::Html::SafeListSanitizer directly:```ruby# class-level optionRails::Html::SafeListSanitizer.allowed_tags = ["select", "style"]```or```ruby# instance-level optionRails::Html::SafeListSanitizer.new.sanitize(@article.body, tags: ["select", "style"])```All users overriding the allowed tags by any of the above mechanisms to include both "select" and "style" should either upgrade or use one of the workarounds immediately.## ReleasesThe FIXED releases are available at the normal locations.## WorkaroundsRemove either `select` or `style` from the overridden allowed tags.## CreditsThis vulnerability was responsibly reported by [windshock](https://hackerone.com/windshock?type=user).

The remote Debian 11 host has a package installed that is affected by multiple vulnerabilities as referenced in the dla-3902 advisory.

    - -------------------------------------------------------------------------     Debian LTS Advisory DLA-3902-1                debian-lts@lists.debian.org     https://www.debian.org/lts/security/                          Adrian Bunk     September 28, 2024                            https://wiki.debian.org/LTS
    - -------------------------------------------------------------------------

    Package        : ruby-rails-html-sanitizer     Version        : 1.3.0-1+deb11u1     CVE ID         : CVE-2022-23517 CVE-2022-23518 CVE-2022-23519 CVE-2022-23520                      CVE-2022-32209     Debian Bug     : 1013806 1027153

    Multiple vulnerabilities have been fixed in ruby-rails-html-sanitizer,     a Ruby library for sanitizing HTML fragments in Rails applications.

    CVE-2022-23517

        Inefficient Regular Expression Complexity

    CVE-2022-23518

        XSS in data URIs

    CVE-2022-23519     CVE-2022-23520     CVE-2022-32209

        XSS vulnerability

    For Debian 11 bullseye, these problems have been fixed in version     1.3.0-1+deb11u1.

    We recommend that you upgrade your ruby-rails-html-sanitizer packages.

    For the detailed security status of ruby-rails-html-sanitizer please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/ruby-rails-html-sanitizer

    Further information about Debian LTS security advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://wiki.debian.org/LTS

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2022:8506 advisory.

    Red Hat Satellite is a systems management tool for Linux-based     infrastructure. It allows for provisioning, remote management, and     monitoring of multiple Linux deployments with a single centralized tool.

    Security Fix(es):
    * netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data (CVE-2021-37136)
    * netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an     unnecessary way (CVE-2021-37137)
    * python3-django: Possible XSS via template tag (CVE-2022-22818)
    * tfm-rubygem-nokogiri: ReDoS in HTML encoding detection (CVE-2022-24836)
    * tfm-rubygem-sinatra: Path traversal possible outside of public_dir when serving static files     (CVE-2022-29970)
    * tfm-rubygem-git: Package vulnerable to Command Injection via git argument injection (CVE-2022-25648)
    * rubygem-rails-html-sanitizer: Possible XSS with certain configurations (CVE-2022-32209)
    * python3-django: Potential SQL injection via Trunc and Extract arguments (CVE-2022-34265)

    For more details about the security issue(s), including the impact, a CVSS     score, acknowledgments, and other related information, refer to the CVE     page(s) listed in the References section.

    Additional Changes:

    The items above are not a complete list of changes. This update also fixes     several bugs and adds various enhancements. Documentation for these changes     is available from the Release Notes document.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Rocky Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2022:8506 advisory.

  - The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed     output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are     affected. The malicious input can trigger an OOME and so a DoS attack (CVE-2021-37136)

  - The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory     usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which     may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious     input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable     chunk. (CVE-2021-37137)

  - The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not     properly encode the current context. This may lead to XSS. (CVE-2022-22818)

  - Nokogiri is an open source XML and HTML library for Ruby. Nokogiri `< v1.13.4` contains an inefficient     regular expression that is susceptible to excessive backtracking when attempting to detect encoding in     HTML documents. Users are advised to upgrade to Nokogiri `>= 1.13.4`. There are no known workarounds for     this issue. (CVE-2022-24836)

  - The package git before 1.11.0 are vulnerable to Command Injection via git argument injection. When calling     the fetch(remote = 'origin', opts = {}) function, the remote parameter is passed to the git fetch     subcommand in a way that additional flags can be set. The additional flags can be used to perform a     command injection. (CVE-2022-25648)

  - Sinatra before 2.2.0 does not validate that the expanded path matches public_dir when serving static     files. (CVE-2022-29970)

  - # Possible XSS Vulnerability in Rails::Html::SanitizerThere is a possible XSS vulnerability with certain     configurations of Rails::Html::Sanitizer.This vulnerability has been assigned the CVE identifier     CVE-2022-32209.Versions Affected: ALLNot affected: NONEFixed Versions: v1.4.3## ImpactA possible XSS     vulnerability with certain configurations of Rails::Html::Sanitizer may allow an attacker to inject     content if the application developer has overridden the sanitizer's allowed tags to allow both `select`     and `style` elements.Code is only impacted if allowed tags are being overridden. This may be done via     application configuration:```ruby# In config/application.rbconfig.action_view.sanitized_allowed_tags =     [select, style]```see https://guides.rubyonrails.org/configuring.html#configuring-action-viewOr it may     be done with a `:tags` option to the Action View helper `sanitize`:```<%= sanitize @comment.body, tags:
    [select, style] %>```see     https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitizeOr it may be     done with Rails::Html::SafeListSanitizer directly:```ruby# class-level     optionRails::Html::SafeListSanitizer.allowed_tags = [select, style]```or```ruby# instance-level     optionRails::Html::SafeListSanitizer.new.sanitize(@article.body, tags: [select, style])```All users     overriding the allowed tags by any of the above mechanisms to include both select and style should     either upgrade or use one of the workarounds immediately.## ReleasesThe FIXED releases are available at     the normal locations.## WorkaroundsRemove either `select` or `style` from the overridden allowed tags.##     CreditsThis vulnerability was responsibly reported by     [windshock](https://hackerone.com/windshock?type=user). (CVE-2022-32209)

  - An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract()     database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value.
    Applications that constrain the lookup name and kind choice to a known safe list are unaffected.
    (CVE-2022-34265)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 10 host has a package installed that is affected by multiple vulnerabilities as referenced in the dla-3566 advisory.

  - rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. Certain     configurations of rails-html-sanitizer < 1.4.4 use an inefficient regular expression that is susceptible     to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of     service through CPU resource consumption. This issue has been patched in version 1.4.4. (CVE-2022-23517)

  - rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. Versions >=     1.0.3, < 1.4.4 are vulnerable to cross-site scripting via data URIs when used in combination with Loofah     >= 2.1.0. This issue is patched in version 1.4.4. (CVE-2022-23518)

  - rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. Prior to version     1.4.4, a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer may allow an     attacker to inject content if the application developer has overridden the sanitizer's allowed tags in     either of the following ways: allow both math and style elements, or allow both svg and style     elements. Code is only impacted if allowed tags are being overridden. . This issue is fixed in version     1.4.4. All users overriding the allowed tags to include math or svg and style should either upgrade     or use the following workaround immediately: Remove style from the overridden allowed tags, or remove     math and svg from the overridden allowed tags. (CVE-2022-23519)

  - rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. Prior to version     1.4.4, there is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer due to     an incomplete fix of CVE-2022-32209. Rails::Html::Sanitizer may allow an attacker to inject content if the     application developer has overridden the sanitizer's allowed tags to allow both select and style     elements. Code is only impacted if allowed tags are being overridden. This issue is patched in version     1.4.4. All users overriding the allowed tags to include both select and style should either upgrade or     use this workaround: Remove either select or style from the overridden allowed tags. NOTE: Code is
    _not_ impacted if allowed tags are overridden using either the :tags option to the Action View helper     method sanitize or the :tags option to the instance method SafeListSanitizer#sanitize. (CVE-2022-23520)

  - # Possible XSS Vulnerability in Rails::Html::SanitizerThere is a possible XSS vulnerability with certain     configurations of Rails::Html::Sanitizer.This vulnerability has been assigned the CVE identifier     CVE-2022-32209.Versions Affected: ALLNot affected: NONEFixed Versions: v1.4.3## ImpactA possible XSS     vulnerability with certain configurations of Rails::Html::Sanitizer may allow an attacker to inject     content if the application developer has overridden the sanitizer's allowed tags to allow both `select`     and `style` elements.Code is only impacted if allowed tags are being overridden. This may be done via     application configuration:```ruby# In config/application.rbconfig.action_view.sanitized_allowed_tags =     [select, style]```see https://guides.rubyonrails.org/configuring.html#configuring-action-viewOr it may     be done with a `:tags` option to the Action View helper `sanitize`:```<%= sanitize @comment.body, tags:
    [select, style] %>```see     https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitizeOr it may be     done with Rails::Html::SafeListSanitizer directly:```ruby# class-level     optionRails::Html::SafeListSanitizer.allowed_tags = [select, style]```or```ruby# instance-level     optionRails::Html::SafeListSanitizer.new.sanitize(@article.body, tags: [select, style])```All users     overriding the allowed tags by any of the above mechanisms to include both select and style should     either upgrade or use one of the workarounds immediately.## ReleasesThe FIXED releases are available at     the normal locations.## WorkaroundsRemove either `select` or `style` from the overridden allowed tags.##     CreditsThis vulnerability was responsibly reported by     [windshock](https://hackerone.com/windshock?type=user). (CVE-2022-32209)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 10 host has a package installed that is affected by a vulnerability as referenced in the dla-3227 advisory.

  - # Possible XSS Vulnerability in Rails::Html::SanitizerThere is a possible XSS vulnerability with certain     configurations of Rails::Html::Sanitizer.This vulnerability has been assigned the CVE identifier     CVE-2022-32209.Versions Affected: ALLNot affected: NONEFixed Versions: v1.4.3## ImpactA possible XSS     vulnerability with certain configurations of Rails::Html::Sanitizer may allow an attacker to inject     content if the application developer has overridden the sanitizer's allowed tags to allow both `select`     and `style` elements.Code is only impacted if allowed tags are being overridden. This may be done via     application configuration:```ruby# In config/application.rbconfig.action_view.sanitized_allowed_tags =     [select, style]```see https://guides.rubyonrails.org/configuring.html#configuring-action-viewOr it may     be done with a `:tags` option to the Action View helper `sanitize`:```<%= sanitize @comment.body, tags:
    [select, style] %>```see     https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitizeOr it may be     done with Rails::Html::SafeListSanitizer directly:```ruby# class-level     optionRails::Html::SafeListSanitizer.allowed_tags = [select, style]```or```ruby# instance-level     optionRails::Html::SafeListSanitizer.new.sanitize(@article.body, tags: [select, style])```All users     overriding the allowed tags by any of the above mechanisms to include both select and style should     either upgrade or use one of the workarounds immediately.## ReleasesThe FIXED releases are available at     the normal locations.## WorkaroundsRemove either `select` or `style` from the overridden allowed tags.##     CreditsThis vulnerability was responsibly reported by     [windshock](https://hackerone.com/windshock?type=user). (CVE-2022-32209)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 host has a package installed that is affected by a vulnerability as referenced in the SUSE-SU-2022:2870-1 advisory.

  - # Possible XSS Vulnerability in Rails::Html::SanitizerThere is a possible XSS vulnerability with certain     configurations of Rails::Html::Sanitizer.This vulnerability has been assigned the CVE identifier     CVE-2022-32209.Versions Affected: ALLNot affected: NONEFixed Versions: v1.4.3## ImpactA possible XSS     vulnerability with certain configurations of Rails::Html::Sanitizer may allow an attacker to inject     content if the application developer has overridden the sanitizer's allowed tags to allow both `select`     and `style` elements.Code is only impacted if allowed tags are being overridden. This may be done via     application configuration:```ruby# In config/application.rbconfig.action_view.sanitized_allowed_tags =     [select, style]```see https://guides.rubyonrails.org/configuring.html#configuring-action-viewOr it may     be done with a `:tags` option to the Action View helper `sanitize`:```<%= sanitize @comment.body, tags:
    [select, style] %>```see     https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitizeOr it may be     done with Rails::Html::SafeListSanitizer directly:```ruby# class-level     optionRails::Html::SafeListSanitizer.allowed_tags = [select, style]```or```ruby# instance-level     optionRails::Html::SafeListSanitizer.new.sanitize(@article.body, tags: [select, style])```All users     overriding the allowed tags by any of the above mechanisms to include both select and style should     either upgrade or use one of the workarounds immediately.## ReleasesThe FIXED releases are available at     the normal locations.## WorkaroundsRemove either `select` or `style` from the overridden allowed tags.##     CreditsThis vulnerability was responsibly reported by     [windshock](https://hackerone.com/windshock?type=user). (CVE-2022-32209)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
207899	Debian dla-3902 : ruby-rails-html-sanitizer - security update	Nessus	Debian Local Security Checks	medium
194188	RHEL 8 : Satellite 6.12 Release (Important) (RHSA-2022:8506)	Nessus	Red Hat Local Security Checks	critical
184617	Rocky Linux 8 : Satellite 6.12 Release (Important) (RLSA-2022:8506)	Nessus	Rocky Linux Local Security Checks	critical
181447	Debian DLA-3566-1 : ruby-rails-html-sanitizer - LTS security update	Nessus	Debian Local Security Checks	medium
168449	Debian DLA-3227-1 : ruby-rails-html-sanitizer - LTS security update	Nessus	Debian Local Security Checks	medium
164331	SUSE SLES15 Security Update : rubygem-rails-html-sanitizer (SUSE-SU-2022:2870-1)	Nessus	SuSE Local Security Checks	medium

Detections

Analytics

CVE-2022-32209

medium

Tenable Plugins

medium

critical

critical

medium

medium

medium