CVE-2024-32464
Description
Action Text brings rich text content and editing to Rails. Instances of ActionText::Attachable::ContentAttachment included within a rich_text_area tag could potentially contain unsanitized HTML. This vulnerability is fixed in 7.1.3.4 and 7.2.0.beta2.
CWE
- CWE-80 — CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
- CWE-79 — CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Affected
- rails / rails — v=>= 7.1.0, < 7.1.3.4 [affected]; v== 7.2.0.beta1 [affected]
CVSS
- 3.1 score=6.1 severity=MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
References
- https://github.com/rails/rails/security/advisories/GHSA-prjp-h48f-jgf6 x_refsource_CONFIRM
- https://github.com/rails/rails/commit/e215bf3360e6dfe1497c1503a495e384ed6b0995 x_refsource_MISC
Source
cvelistV5-main/cves/2024/32xxx/CVE-2024-32464.json