Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

CVE-2024-32464

MEDIUM
Published 2024-06-04T19:53:59.774Z
Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2024-32464. We'll provide specific mitigation strategies based on your environment and risk profile.

CVSS Score

V3.1
6.1
/10
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Base Score Metrics
Exploitability: N/A Impact: N/A

EPSS Score

v2025.03.14
0.000
probability
of exploitation in the wild

There is a 0.0% chance that this vulnerability will be exploited in the wild within the next 30 days.

Updated: 2025-06-25
Exploit Probability
Percentile: 0.106
Higher than 10.6% of all CVEs

Attack Vector Metrics

Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED

Impact Metrics

Confidentiality
LOW
Integrity
LOW
Availability
NONE

Description

Action Text brings rich text content and editing to Rails. Instances of ActionText::Attachable::ContentAttachment included within a rich_text_area tag could potentially contain unsanitized HTML. This vulnerability is fixed in 7.1.3.4 and 7.2.0.beta2.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

rails

rails

Affected Versions:

>= 7.1.0, < 7.1.3.4 = 7.2.0.beta1

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

✓ GitHub Reviewed MODERATE

ActionText ContentAttachment can Contain Unsanitized HTML

GHSA-prjp-h48f-jgf6

Advisory Details

Instances of ActionText::Attachable::ContentAttachment included within a rich_text_area tag could potentially contain unsanitized HTML. This has been assigned the CVE identifier CVE-2024-32464. Versions Affected: >= 7.1.0 Not affected: < 7.1.0 Fixed Versions: 7.1.3.4 Impact ------ This could lead to a potential cross site scripting issue within the Trix editor. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- N/A Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the supported release series in accordance with our [maintenance policy](https://guides.rubyonrails.org/maintenance_policy.html#security-issues) regarding security issues. They are in git-am format and consist of a single changeset. * action_text_content_attachment_xss_7_1_stable.patch - Patch for 7.1 series Credits ------- Thank you [ooooooo_q](https://hackerone.com/ooooooo_q) for reporting this!

Affected Packages

RubyGems actiontext
ECOSYSTEM: ≥7.1.0 <7.1.3.4
RubyGems actiontext
ECOSYSTEM: ≥7.2.0.beta1 <7.2.0.beta2

CVSS Scoring

CVSS Score

5.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References

WEB https://github.com/rails/rails/security/advisories/GHSA-prjp-h48f-jgf6
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2024-32464
WEB https://github.com/rails/rails/commit/e215bf3360e6dfe1497c1503a495e384ed6b0995
PACKAGE https://github.com/rails/rails
WEB https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actiontext/CVE-2024-32464.yml

Advisory provided by GitHub Security Advisory Database. Published: June 4, 2024, Modified: August 27, 2024

References

https://github.com/rails/rails/security/advisories/GHSA-prjp-h48f-jgf6
https://github.com/rails/rails/commit/e215bf3360e6dfe1497c1503a495e384ed6b0995

HackerOne Reports

[CVE-2024-32464] ActionText ContentAttachment’s can Contain Unsanitized HTML Medium
ooooooo_q
Internet Bug Bounty
$2600.00
Cross-site Scripting (XSS) - Stored
View Report
Published: 2024-06-04T19:53:59.774Z
Last Modified: 2024-08-02T02:13:39.964Z
Copied to clipboard!