rubysec
diff --git a/‎advisories/_posts/2024-12-02-CVE-2024-53985.md
Lines changed: 141 additions & 0 deletions b/‎advisories/_posts/2024-12-02-CVE-2024-53985.md
Lines changed: 141 additions & 0 deletions
diff --git a/‎advisories/_posts/2024-12-02-CVE-2024-53986.md
Lines changed: 125 additions & 0 deletions b/‎advisories/_posts/2024-12-02-CVE-2024-53986.md
Lines changed: 125 additions & 0 deletions
diff --git a/‎advisories/_posts/2024-12-02-CVE-2024-53987.md
Lines changed: 123 additions & 0 deletions b/‎advisories/_posts/2024-12-02-CVE-2024-53987.md
Lines changed: 123 additions & 0 deletions
@@ -0,0 +1,141 @@
+---
+layout: advisory
+title: 'CVE-2024-53985 (rails-html-sanitizer): rails-html-sanitizer has XSS vulnerability
+  with certain configurations'
+comments: false
+categories:
+- rails-html-sanitizer
+- rails
+advisory:
+  gem: rails-html-sanitizer
+  framework: rails
+  cve: 2024-53985
+  ghsa: w8gc-x259-rc7x
+  url: https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-w8gc-x259-rc7x
+  title: rails-html-sanitizer has XSS vulnerability with certain configurations
+  date: 2024-12-02
+  description: |
+    ## Summary
+
+    There is a possible XSS vulnerability with certain configurations of
+    Rails::HTML::Sanitizer 1.6.0 when used with Rails >= 7.1.0 and
+    Nokogiri < 1.15.7, or 1.16.x < 1.16.8.
+
+    * Versions affected: 1.6.0
+    * Not affected: < 1.6.0
+    * Fixed versions: 1.6.1
+
+    Please note that the fix in v1.6.1 is to update the dependency on
+    Nokogiri to 1.15.7 or >= 1.16.8.
+
+    ## Impact
+
+    A possible XSS vulnerability with certain configurations of
+    Rails::HTML::Sanitizer may allow an attacker to inject content if
+    HTML5 sanitization is enabled and the application developer has
+    overridden the sanitizer's allowed tags in either of the following ways:
+
+    * allow both "math" and "style" elements
+    * or allow both "svg" and "style" elements
+
+    Code is only impacted if Rails is configured to use HTML5 sanitization,
+    please see documentation for
+    [`config.action_view.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-view-sanitizer-vendor)
+    and [`config.action_text.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-text-sanitizer-vendor)
+    for more information on these configuration options.
+
+    Code is only impacted if allowed tags are being overridden.
+    Applications may be doing this in a few different ways:
+
+    1. using application configuration to configure Action View
+       sanitizers' allowed tags:
+
+      ```ruby
+      # In config/application.rb
+      config.action_view.sanitized_allowed_tags = ["math", "style"]
+      # or
+      config.action_view.sanitized_allowed_tags = ["svg", "style"]
+      ```
+
+      see https://guides.rubyonrails.org/configuring.html#configuring-action-view
+
+    2. using a `:tags` option to the Action View helper `sanitize`:
+
+      ```
+      <= sanitize @comment.body, tags: ["math", "style"] >
+      <# or>
+      <= sanitize @comment.body, tags: ["svg", "style"] >
+      ```
+
+      see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize
+
+    3. setting Rails::HTML5::SafeListSanitizer class attribute `allowed_tags`:
+
+      ```ruby
+      # class-level option
+      Rails::HTML5::SafeListSanitizer.allowed_tags = ["math", "style"]
+      # or
+      Rails::HTML5::SafeListSanitizer.allowed_tags = ["svg", "style"]
+      ```
+
+      (note that this class may also be referenced as
+      `Rails::Html::SafeListSanitizer`)
+
+    4. using a `:tags` options to the Rails::HTML5::SafeListSanitizer
+       instance method `sanitize`:
+
+      ```ruby
+      # instance-level option
+      Rails::HTML5::SafeListSanitizer.new.sanitize(@article.body, tags: ["math", "style"])
+      # or
+      Rails::HTML5::SafeListSanitizer.new.sanitize(@article.body, tags: ["svg", "style"])
+      ```
+      (note that this class may also be referenced as `Rails::Html::SafeListSanitizer`)
+
+    5. setting ActionText::ContentHelper module attribute `allowed_tags`:
+
+      ```ruby
+      ActionText::ContentHelper.allowed_tags = ["math", "style"]
+      # or
+      ActionText::ContentHelper.allowed_tags = ["svg", "style"]
+      ```
+
+    All users overriding the allowed tags by any of the above mechanisms
+    to include (("math" or "svg") and "style") should either upgrade or
+    use one of the workarounds.
+
+    ## Workarounds
+
+    Any one of the following actions will work around this issue:
+
+    - Remove "style" from the overridden allowed tags,
+    - Or, remove "math" and "svg" from the overridden allowed tags,
+    - Or, downgrade sanitization to HTML4 (see documentation for
+      [`config.action_view.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-view-sanitizer-vendor)
+      and [`config.action_text.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-text-sanitizer-vendor)
+      for more information)
+    - Or, independently upgrade Nokogiri to v1.15.7 or >= 1.16.8.
+
+    ## References
+
+    - [CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)](https://cwe.mitre.org/data/definitions/79.html)
+    - Original report: https://hackerone.com/reports/2503220
+
+    ## Credit
+
+    This vulnerability was responsibly reported by HackerOne user
+    [@taise](https://hackerone.com/taise?type=user).
+  cvss_v4: 2.3
+  unaffected_versions:
+  - "< 1.6.0"
+  patched_versions:
+  - ">= 1.6.1"
+  related:
+    url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-53985
+    - https://github.com/rails/rails-html-sanitizer/blob/v1.6.1/CHANGELOG.md
+    - https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-w8gc-x259-rc7x
+    - https://github.com/rails/rails-html-sanitizer/commit/b0220b8850d52199a15f83c472d175a4122dd7b1
+    - https://github.com/rails/rails-html-sanitizer/commit/cd18b0ef00aad1d4a9e1c5d860cd23f80f63c505
+    - https://github.com/advisories/GHSA-w8gc-x259-rc7x
+---
@@ -0,0 +1,125 @@
+---
+layout: advisory
+title: 'CVE-2024-53986 (rails-html-sanitizer): rails-html-sanitizer has XSS vulnerability
+  with certain configurations'
+comments: false
+categories:
+- rails-html-sanitizer
+- rails
+advisory:
+  gem: rails-html-sanitizer
+  framework: rails
+  cve: 2024-53986
+  ghsa: 638j-pmjw-jq48
+  url: https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-638j-pmjw-jq48
+  title: rails-html-sanitizer has XSS vulnerability with certain configurations
+  date: 2024-12-02
+  description: |
+    ## Summary
+
+    There is a possible XSS vulnerability with certain configurations of
+    Rails::HTML::Sanitizer 1.6.0 when used with Rails >= 7.1.0.
+
+    * Versions affected: 1.6.0
+    * Not affected: < 1.6.0
+    * Fixed versions: 1.6.1
+
+    ## Impact
+
+    A possible XSS vulnerability with certain configurations of
+    Rails::HTML::Sanitizer may allow an attacker to inject content if
+    HTML5 sanitization is enabled and the application developer has
+    overridden the sanitizer's allowed tags in the following way:
+
+    - the "math" and "style" elements are both explicitly allowed
+
+    Code is only impacted if Rails is configured to use HTML5 sanitization,
+    please see documentation for
+    [`config.action_view.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-view-sanitizer-vendor)
+    and [`config.action_text.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-text-sanitizer-vendor)
+    for more information on these configuration options.
+
+    The default configuration is to disallow these elements. Code is only
+    impacted if allowed tags are being overridden. Applications may be
+    doing this in a few different ways:
+
+    1. using application configuration to configure Action View sanitizers'
+       allowed tags:
+
+      ```ruby
+      # In config/application.rb
+      config.action_view.sanitized_allowed_tags = ["math", "style"]
+      ```
+
+      see https://guides.rubyonrails.org/configuring.html#configuring-action-view
+
+    2. using a `:tags` option to the Action View helper `sanitize`:
+
+      ```
+      <= sanitize @comment.body, tags: ["math", "style"]>
+      ```
+
+      see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize
+
+    3. setting Rails::HTML5::SafeListSanitizer class attribute `allowed_tags`:
+
+      ```ruby
+      # class-level option
+      Rails::HTML5::SafeListSanitizer.allowed_tags = ["math", "style"]
+      ```
+
+      (note that this class may also be referenced as
+      `Rails::Html::SafeListSanitizer`)
+
+    4. using a `:tags` options to the Rails::HTML5::SafeListSanitizer
+       instance method `sanitize`:
+
+      ```ruby
+      # instance-level option
+      Rails::HTML5::SafeListSanitizer.new.sanitize(@article.body, tags: ["math", "style"])
+      ```
+
+      (note that this class may also be referenced as
+       `Rails::Html::SafeListSanitizer`)
+
+    5. setting ActionText::ContentHelper module attribute `allowed_tags`:
+
+      ```ruby
+      ActionText::ContentHelper.allowed_tags = ["math", "style"]
+      ```
+
+    All users overriding the allowed tags by any of the above mechanisms
+    to include both "math" and "style" should either upgrade or use one
+    of the workarounds.
+
+    ## Workarounds
+
+    Any one of the following actions will work around this issue:
+
+    - Remove "math" or "style" from the overridden allowed tags,
+    - Or, downgrade sanitization to HTML4 (see documentation for
+      [`config.action_view.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-view-sanitizer-vendor)
+      and [`config.action_text.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-text-sanitizer-vendor)
+      for more information).
+
+    ## References
+
+    - [CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)](https://cwe.mitre.org/data/definitions/79.html)
+    - Original report: https://hackerone.com/reports/2519941
+
+    ## Credit
+
+    This vulnerability was responsibly reported by So Sakaguchi (mokusou).
+  cvss_v4: 2.3
+  unaffected_versions:
+  - "< 1.6.0"
+  patched_versions:
+  - ">= 1.6.1"
+  related:
+    url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-53986
+    - https://github.com/rails/rails-html-sanitizer/blob/v1.6.1/CHANGELOG.md
+    - https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-638j-pmjw-jq48
+    - https://github.com/rails/rails-html-sanitizer/commit/f02ffbb8465e73920b6de0da940f5530f855965e
+    - https://github.com/advisories/GHSA-638j-pmjw-jq48
+---
@@ -0,0 +1,123 @@
+---
+layout: advisory
+title: 'CVE-2024-53987 (rails-html-sanitizer): rails-html-sanitizer has XSS vulnerability
+  with certain configurations'
+comments: false
+categories:
+- rails-html-sanitizer
+- rails
+advisory:
+  gem: rails-html-sanitizer
+  framework: rails
+  cve: 2024-53987
+  ghsa: 2x5m-9ch4-qgrr
+  url: https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-2x5m-9ch4-qgrr
+  title: rails-html-sanitizer has XSS vulnerability with certain configurations
+  date: 2024-12-02
+  description: |
+    ## Summary
+
+    There is a possible XSS vulnerability with certain configurations of
+    Rails::HTML::Sanitizer 1.6.0 when used with Rails >= 7.1.0.
+
+    * Versions affected: 1.6.0
+    * Not affected: < 1.6.0
+    * Fixed versions: 1.6.1
+
+    ## Impact
+
+    A possible XSS vulnerability with certain configurations of
+    Rails::HTML::Sanitizer may allow an attacker to inject content if
+    HTML5 sanitization is enabled and the application developer has
+    overridden the sanitizer's allowed tags in the following way:
+
+    - the "style" element is explicitly allowed
+    - the "svg" or "math" element is not allowed
+
+    Code is only impacted if Rails is configured to use HTML5 sanitization,
+    please see documentation for [`config.action_view.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-view-sanitizer-vendor)
+    and [`config.action_text.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-text-sanitizer-vendor)
+    for more information on these configuration options.
+
+    The default configuration is to disallow all of these elements. Code
+    is only impacted if allowed tags are being overridden. Applications
+    may be doing this in a few different ways:
+
+    1. using application configuration to configure Action View sanitizers'
+       allowed tags:
+
+      ```ruby
+      # In config/application.rb
+      config.action_view.sanitized_allowed_tags = ["style"]
+      ```
+
+      see https://guides.rubyonrails.org/configuring.html#configuring-action-view
+
+    2. using a `:tags` option to the Action View helper `sanitize`:
+
+      ```
+      <= sanitize @comment.body, tags: ["style"] >
+      ```
+
+      see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize
+
+    3. setting Rails::HTML5::SafeListSanitizer class attribute `allowed_tags`:
+
+      ```ruby
+      # class-level option
+      Rails::HTML5::SafeListSanitizer.allowed_tags = ["style"]
+      ```
+
+      (note that this class may also be referenced as
+      `Rails::Html::SafeListSanitizer`)
+
+    4. using a `:tags` options to the Rails::HTML5::SafeListSanitizer instance method `sanitize`:
+
+      ```ruby
+      # instance-level option
+      Rails::HTML5::SafeListSanitizer.new.sanitize(@article.body, tags: ["style"])
+      ```
+
+      (note that this class may also be referenced as
+      `Rails::Html::SafeListSanitizer`)
+
+    5. setting ActionText::ContentHelper module attribute `allowed_tags`:
+
+      ```ruby
+      ActionText::ContentHelper.allowed_tags = ["style"]
+      ```
+
+    All users overriding the allowed tags by any of the above mechanisms
+    to include "style" and omit "svg" or "math" should either upgrade
+    or use one of the workarounds.
+
+    ## Workarounds
+
+    Any one of the following actions will work around this issue:
+
+    - Remove "style" from the overridden allowed tags,
+    - Or, downgrade sanitization to HTML4 (see documentation for
+      [`config.action_view.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-view-sanitizer-vendor)
+      and [`config.action_text.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-text-sanitizer-vendor)
+      for more information).
+
+    ## References
+
+    - [CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)](https://cwe.mitre.org/data/definitions/79.html)
+    - Original report: https://hackerone.com/reports/2519936
+
+    ## Credit
+
+    This vulnerability was responsibly reported by So Sakaguchi (mnokusou).
+  cvss_v4: 2.3
+  unaffected_versions:
+  - "< 1.6.0"
+  patched_versions:
+  - ">= 1.6.1"
+  related:
+    url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-53987
+    - https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-2x5m-9ch4-qgrr
+    - https://github.com/rails/rails-html-sanitizer/commit/f02ffbb8465e73920b6de0da940f5530f855965e
+    - https://github.com/advisories/GHSA-2x5m-9ch4-qgrr
+---