[CVE-2022-27777] Possible XSS Vulnerability in Action View tag helpers

646 views
Skip to first unread message

Aaron Patterson

unread,
Apr 26, 2022, 3:54:15 PMApr 26
to ruby-sec...@googlegroups.com, rubyonrail...@googlegroups.com

There is a possible XSS vulnerability in Action View tag helpers.  Passing

untrusted input as hash keys can lead to a possible XSS vulnerability. This

vulnerability has been assigned the CVE identifier CVE-2022-27777.


Versions Affected:  ALL

Not affected:       NONE

Fixed Versions:     7.0.2.4, 6.1.5.1, 6.0.4.8, 5.2.7.1


Impact

------

If untrusted data is passed as the hash key for tag attributes, there is a

possibility that the untrusted data may not be properly escaped which can

lead to an XSS vulnerability.


Impacted code will look something like this:


```

check_box_tag('thename', 'thevalue', false, aria: { malicious_input => 'thevalueofaria' })

```


Where the "malicious_input" variable contains untrusted data.


All users running an affected release should either upgrade or use one of the

workarounds immediately.


Releases

--------

The FIXED releases are available at the normal locations.


Workarounds

-----------

Escape the untrusted data before using it as a key for tag helper methods.


Patches

-------

To aid users who aren't able to upgrade immediately we have provided patches for

the two supported release series. They are in git-am format and consist of a

single changeset.


* 5-2-tag-helper-xss.patch - Patch for 5.2 series

* 6-0-tag-helper-xss.patch - Patch for 6.0 series

* 6-1-tag-helper-xss.patch - Patch for 6.1 series

* 7-0-tag-helper-xss.patch - Patch for 7.0 series


Credits

-------


Thank you to [Álvaro Martín Fraguas](https://hackerone.com/amartinfraguas) for

reporting the issue and providing patches!

5-2-tag-helper-xss.patch
6-0-tag-helper-xss.patch
7-0-tag-helper-xss.patch
6-1-tag-helper-xss.patch
Reply all
Reply to author
Forward
0 new messages