CVE-2024-32464 – actiontext

Package

Manager: gem
Name: actiontext
Vulnerable Version: >=7.1.0 <7.1.3.4 || =7.2.0.beta1 || >=7.2.0.beta1 <7.2.0.beta2

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

EPSS: 0.00269 pctl0.5013

Details

ActionText ContentAttachment can Contain Unsanitized HTML Instances of ActionText::Attachable::ContentAttachment included within a rich_text_area tag could potentially contain unsanitized HTML. This has been assigned the CVE identifier CVE-2024-32464. Versions Affected: >= 7.1.0 Not affected: < 7.1.0 Fixed Versions: 7.1.3.4 Impact ------ This could lead to a potential cross site scripting issue within the Trix editor. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- N/A Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the supported release series in accordance with our [maintenance policy](https://guides.rubyonrails.org/maintenance_policy.html#security-issues) regarding security issues. They are in git-am format and consist of a single changeset. * action_text_content_attachment_xss_7_1_stable.patch - Patch for 7.1 series Credits ------- Thank you [ooooooo_q](https://hackerone.com/ooooooo_q) for reporting this!

Metadata

Created: 2024-06-04T22:26:22Z
Modified: 2024-08-27T14:20:53Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-prjp-h48f-jgf6/GHSA-prjp-h48f-jgf6.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-prjp-h48f-jgf6
Finding: F008
Auto approve: 1