Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-ch3h-j2vf-95pv

GitHub Security Advisory

XSS Vulnerability in Action View tag helpers

✓ GitHub Reviewed MODERATE Has CVE
View on GitHub

Advisory Details

There is a possible XSS vulnerability in Action View tag helpers. Passing untrusted input as hash keys can lead to a possible XSS vulnerability. This vulnerability has been assigned the CVE identifier CVE-2022-27777.

Versions Affected: ALL
Not affected: NONE
Fixed Versions: 7.0.2.4, 6.1.5.1, 6.0.4.8, 5.2.7.1

## Impact

If untrusted data is passed as the hash key for tag attributes, there is a possibility that the untrusted data may not be properly escaped which can lead to an XSS vulnerability.

Impacted code will look something like this:

```
check_box_tag('thename', 'thevalue', false, aria: { malicious_input => 'thevalueofaria' })
```

Where the "malicious_input" variable contains untrusted data.

All users running an affected release should either upgrade or use one of the workarounds immediately.

## Releases

The FIXED releases are available at the normal locations.

## Workarounds

Escape the untrusted data before using it as a key for tag helper methods.

Affected Packages

RubyGems actionview
Affected versions: 0 (fixed in 5.2.7.1)
RubyGems actionview
Affected versions: 6.0.0 (fixed in 6.0.4.8)
RubyGems actionview
Affected versions: 6.1.0 (fixed in 6.1.5.1)
RubyGems actionview
Affected versions: 7.0.0 (fixed in 7.0.2.4)

Related CVEs

CVE-2022-27777

Key Information

GHSA ID
GHSA-ch3h-j2vf-95pv
Published
April 27, 2022 10:32 PM
Last Modified
June 7, 2023 3:35 PM
CVSS Score
5.0 /10
Primary Ecosystem
RubyGems
Primary Package
actionview
GitHub Reviewed
✓ Yes

Dataset

Last updated: August 1, 2025 6:44 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.