RubySecRUBY:ACTIONTEXT-2024-32464ActionText ContentAttachment can Contain Unsanitized HTML
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
0.0005 Low
EPSS
Percentile
17.0%
Instances of ActionText::Attachable::ContentAttachment included
within a rich_text_area tag could potentially contain unsanitized HTML.
This has been assigned the CVE identifier CVE-2024-32464.
Versions Affected: >= 7.1.0
Not affected: < 7.1.0
Fixed Versions: 7.1.3.4
Impact
This could lead to a potential cross site scripting issue within the Trix editor.
Releases
The fixed releases are available at the normal locations.
Workarounds
N/A
Patches
To aid users who aren’t able to upgrade immediately we have provided
patches for the supported release series in accordance with our
maintenance policy
regarding security issues. They are in git-am format and consist
of a single changeset.
- action_text_content_attachment_xss_7_1_stable.patch - Patch for 7.1 series
Credits
Thank you ooooooo_q for reporting this!
| CPE | Name | Operator | Version |
|---|---|---|---|
| actiontext | lt | 7.1.0 | |
| actiontext | le | 7.1.3.3 | |
| actiontext | ge | 7.1.4.0 | |
| actiontext | lt | 7.2.0.beta2 |
Related
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
0.0005 Low
EPSS
Percentile
17.0%