Technical Advisory: Ruby on Rails – Possible XSS Vulnerability in ActionView tag helpers (CVE-2022-27777)

Vendor: Ruby on Rails Vendor URL: https://rubyonrails.org Versions affected: versions prior to 7.0.2.4, 6.1.5.1, 6.0.4.8, 5.2.7.1 Operating Systems Affected: ALL Author: Álvaro Martín Fraguas <alvaro.martin[at]nccgroup[dot]com> Advisory URLs: - https://groups.google.com/g/rubyonrails-security/c/Yg2tEh2UUqc - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777 Accepted commit for the fix in the official master branch: - https://github.com/rails/rails/commit/649516ce0feb699ae06a8c5e81df75d460cc9a85 Risk: Medium (XSS vulnerability in some cases for some Rails methods). Summary … Continue reading Technical Advisory: Ruby on Rails – Possible XSS Vulnerability in ActionView tag helpers (CVE-2022-27777)