Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

CVE-2022-27777

UNKNOWN
Published 2022-05-26T00:00:00
Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2022-27777. We'll provide specific mitigation strategies based on your environment and risk profile.

No CVSS data available

Description

A XSS Vulnerability in Action View tag helpers >= 5.2.0 and < 5.2.0 which would allow an attacker to inject content if able to control input into specific attributes.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

✓ GitHub Reviewed MODERATE

XSS Vulnerability in Action View tag helpers

GHSA-ch3h-j2vf-95pv

Advisory Details

There is a possible XSS vulnerability in Action View tag helpers. Passing untrusted input as hash keys can lead to a possible XSS vulnerability. This vulnerability has been assigned the CVE identifier CVE-2022-27777. Versions Affected: ALL Not affected: NONE Fixed Versions: 7.0.2.4, 6.1.5.1, 6.0.4.8, 5.2.7.1 ## Impact If untrusted data is passed as the hash key for tag attributes, there is a possibility that the untrusted data may not be properly escaped which can lead to an XSS vulnerability. Impacted code will look something like this: ``` check_box_tag('thename', 'thevalue', false, aria: { malicious_input => 'thevalueofaria' }) ``` Where the "malicious_input" variable contains untrusted data. All users running an affected release should either upgrade or use one of the workarounds immediately. ## Releases The FIXED releases are available at the normal locations. ## Workarounds Escape the untrusted data before using it as a key for tag helper methods.

Affected Packages

RubyGems actionview
ECOSYSTEM: ≥0 <5.2.7.1
RubyGems actionview
ECOSYSTEM: ≥6.0.0 <6.0.4.8
RubyGems actionview
ECOSYSTEM: ≥6.1.0 <6.1.5.1
RubyGems actionview
ECOSYSTEM: ≥7.0.0 <7.0.2.4

CVSS Scoring

CVSS Score

5.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2022-27777
WEB https://github.com/rails/rails/commit/649516ce0feb699ae06a8c5e81df75d460cc9a85
WEB https://discuss.rubyonrails.org/t/cve-2022-27777-possible-xss-vulnerability-in-action-view-tag-helpers/80534
PACKAGE https://github.com/rails/rails
WEB https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2022-27777.yml
WEB https://groups.google.com/g/ruby-security-ann/c/9wJPEDv-iRw
WEB https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html
WEB https://rubyonrails.org/2022/4/26/Rails-7-0-2-4-6-1-5-1-6-0-4-8-and-5-2-7-1-have-been-released
WEB https://www.debian.org/security/2023/dsa-5372

Advisory provided by GitHub Security Advisory Database. Published: April 27, 2022, Modified: June 7, 2023

References

https://discuss.rubyonrails.org/t/cve-2022-27777-possible-xss-vulnerability-in-action-view-tag-helpers/80534
https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html
https://www.debian.org/security/2023/dsa-5372
Published: 2022-05-26T00:00:00
Last Modified: 2024-08-03T05:32:59.808Z
Copied to clipboard!