CVE-2024-53985: rails-html-sanitize has XSS vulnerability with certain configurations
(updated )
There is a possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer 1.6.0 when used with Rails >= 7.1.0 and Nokogiri < 1.15.7, or 1.16.x < 1.16.8.
- Versions affected: 1.6.0
- Not affected: < 1.6.0
- Fixed versions: 1.6.1
Please note that the fix in v1.6.1 is to update the dependency on Nokogiri to 1.15.7 or >= 1.16.8.
References
- github.com/advisories/GHSA-w8gc-x259-rc7x
- github.com/rails/rails-html-sanitizer
- github.com/rails/rails-html-sanitizer/commit/b0220b8850d52199a15f83c472d175a4122dd7b1
- github.com/rails/rails-html-sanitizer/commit/cd18b0ef00aad1d4a9e1c5d860cd23f80f63c505
- github.com/rails/rails-html-sanitizer/security/advisories/GHSA-w8gc-x259-rc7x
- nvd.nist.gov/vuln/detail/CVE-2024-53985
Code Behaviors & Features
Detect and mitigate CVE-2024-53985 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →