Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-prjp-h48f-jgf6

GitHub Security Advisory

ActionText ContentAttachment can Contain Unsanitized HTML

✓ GitHub Reviewed MODERATE Has CVE
View on GitHub

Advisory Details

Instances of ActionText::Attachable::ContentAttachment included within a rich_text_area tag could potentially contain unsanitized HTML.

This has been assigned the CVE identifier CVE-2024-32464.

Versions Affected: >= 7.1.0
Not affected: < 7.1.0
Fixed Versions: 7.1.3.4

Impact
------
This could lead to a potential cross site scripting issue within the Trix editor.

Releases
--------
The fixed releases are available at the normal locations.

Workarounds
-----------
N/A

Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches for the supported release series in accordance with our [maintenance policy](https://guides.rubyonrails.org/maintenance_policy.html#security-issues) regarding security issues. They are in git-am format and consist of a single changeset.

* action_text_content_attachment_xss_7_1_stable.patch - Patch for 7.1 series

Credits
-------

Thank you [ooooooo_q](https://hackerone.com/ooooooo_q) for reporting this!

Affected Packages

RubyGems actiontext
Affected versions: 7.1.0 (fixed in 7.1.3.4)
RubyGems actiontext
Affected versions: 7.2.0.beta1 (fixed in 7.2.0.beta2)

Related CVEs

CVE-2024-32464

Key Information

GHSA ID
GHSA-prjp-h48f-jgf6
Published
June 4, 2024 10:26 PM
Last Modified
August 27, 2024 2:20 PM
CVSS Score
5.0 /10
Primary Ecosystem
RubyGems
Primary Package
actiontext
GitHub Reviewed
✓ Yes

Dataset

Last updated: September 29, 2025 6:31 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.