Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

CVE-2022-27777

UNKNOWN
Published 2022-05-26T00:00:00
Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2022-27777. We'll provide specific mitigation strategies based on your environment and risk profile.

No CVSS data available

Description

A XSS Vulnerability in Action View tag helpers >= 5.2.0 and < 5.2.0 which would allow an attacker to inject content if able to control input into specific attributes.

Understanding This Vulnerability

This Common Vulnerabilities and Exposures (CVE) entry provides detailed information about a security vulnerability that has been publicly disclosed. CVEs are standardized identifiers assigned by MITRE Corporation to track and catalog security vulnerabilities across software and hardware products.

The severity rating (UNKNOWN) indicates the potential impact of this vulnerability based on the CVSS (Common Vulnerability Scoring System) framework. Higher severity ratings typically indicate vulnerabilities that could lead to more significant security breaches if exploited. Security teams should prioritize remediation efforts based on severity, exploit availability, and the EPSS (Exploit Prediction Scoring System) score, which predicts the likelihood of exploitation in the wild.

If this vulnerability affects products or systems in your infrastructure, we recommend reviewing the affected products section, checking for available patches or updates from vendors, and implementing recommended workarounds or solutions until a permanent fix is available. Organizations should also monitor security advisories and threat intelligence feeds for updates about active exploitation of this vulnerability.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

References

https://discuss.rubyonrails.org/t/cve-2022-27777-possible-xss-vulnerability-in-action-view-tag-helpers/80534 (CNA)
https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html (CNA)
https://www.debian.org/security/2023/dsa-5372 (CNA)

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

✓ GitHub Reviewed MODERATE

XSS Vulnerability in Action View tag helpers

GHSA-ch3h-j2vf-95pv

Advisory Details

There is a possible XSS vulnerability in Action View tag helpers. Passing untrusted input as hash keys can lead to a possible XSS vulnerability. This vulnerability has been assigned the CVE identifier CVE-2022-27777. Versions Affected: ALL Not affected: NONE Fixed Versions: 7.0.2.4, 6.1.5.1, 6.0.4.8, 5.2.7.1 ## Impact If untrusted data is passed as the hash key for tag attributes, there is a possibility that the untrusted data may not be properly escaped which can lead to an XSS vulnerability. Impacted code will look something like this: ``` check_box_tag('thename', 'thevalue', false, aria: { malicious_input => 'thevalueofaria' }) ``` Where the "malicious_input" variable contains untrusted data. All users running an affected release should either upgrade or use one of the workarounds immediately. ## Releases The FIXED releases are available at the normal locations. ## Workarounds Escape the untrusted data before using it as a key for tag helper methods.

Affected Packages

RubyGems actionview
ECOSYSTEM: ≥0 <5.2.7.1
RubyGems actionview
ECOSYSTEM: ≥6.0.0 <6.0.4.8
RubyGems actionview
ECOSYSTEM: ≥6.1.0 <6.1.5.1
RubyGems actionview
ECOSYSTEM: ≥7.0.0 <7.0.2.4

CVSS Scoring

CVSS Score

5.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2022-27777
WEB https://github.com/rails/rails/commit/649516ce0feb699ae06a8c5e81df75d460cc9a85
WEB https://discuss.rubyonrails.org/t/cve-2022-27777-possible-xss-vulnerability-in-action-view-tag-helpers/80534
PACKAGE https://github.com/rails/rails
WEB https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2022-27777.yml
WEB https://groups.google.com/g/ruby-security-ann/c/9wJPEDv-iRw
WEB https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html
WEB https://rubyonrails.org/2022/4/26/Rails-7-0-2-4-6-1-5-1-6-0-4-8-and-5-2-7-1-have-been-released
WEB https://www.debian.org/security/2023/dsa-5372

Advisory provided by GitHub Security Advisory Database. Published: April 27, 2022, Modified: June 7, 2023

References

https://discuss.rubyonrails.org/t/cve-2022-27777-possible-xss-vulnerability-in-action-view-tag-helpers/80534
https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html
https://www.debian.org/security/2023/dsa-5372
Published: 2022-05-26T00:00:00
Last Modified: 2024-08-03T05:32:59.808Z
Copied to clipboard!