GHSA-prjp-h48f-jgf6

Suggest an improvement
Source
https://github.com/advisories/GHSA-prjp-h48f-jgf6
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-prjp-h48f-jgf6/GHSA-prjp-h48f-jgf6.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-prjp-h48f-jgf6
Aliases
Published
2024-06-04T22:26:22Z
Modified
2024-06-05T22:00:43.209835Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
ActionText ContentAttachment can Contain Unsanitized HTML
Details

Instances of ActionText::Attachable::ContentAttachment included within a richtextarea tag could potentially contain unsanitized HTML.

This has been assigned the CVE identifier CVE-2024-32464.

Versions Affected: >= 7.1.0 Not affected: < 7.1.0 Fixed Versions: 7.1.3.4

Impact

This could lead to a potential cross site scripting issue within the Trix editor.

Releases

The fixed releases are available at the normal locations.

Workarounds

N/A

Patches

To aid users who aren't able to upgrade immediately we have provided patches for the supported release series in accordance with our maintenance policy regarding security issues. They are in git-am format and consist of a single changeset.

  • actiontextcontentattachmentxss71_stable.patch - Patch for 7.1 series

Credits

Thank you ooooooo_q for reporting this!

References

Affected packages

RubyGems / actiontext

Package

Name
actiontext
Purl
pkg:gem/actiontext

Affected ranges

Type
ECOSYSTEM
Events
Introduced
7.1.0
Fixed
7.1.3.4

Affected versions

7.*

7.1.0
7.1.1
7.1.2
7.1.3
7.1.3.1
7.1.3.2
7.1.3.3

RubyGems / actiontext

Package

Name
actiontext
Purl
pkg:gem/actiontext

Affected ranges

Type
ECOSYSTEM
Events
Introduced
7.2.0.beta1
Fixed
7.2.0.beta2

Affected versions

7.*

7.2.0.beta1