SCA: security update for rails-html-sanitizer (GHSA-rrfc-7g8p-99q8)

medium Tenable Self-Hosted Container Security Plugin ID 418897

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. Prior to version
1.4.4, there is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer due to
an incomplete fix of CVE-2022-32209. Rails::Html::Sanitizer may allow an attacker to inject content if the
application developer has overridden the sanitizer's allowed tags to allow both "select" and "style"
elements. Code is only impacted if allowed tags are being overridden. This issue is patched in version
1.4.4. All users overriding the allowed tags to include both "select" and "style" should either upgrade or
use this workaround: Remove either "select" or "style" from the overridden allowed tags. NOTE: Code is
_not_ impacted if allowed tags are overridden using either the :tags option to the Action View helper
method sanitize or the :tags option to the instance method SafeListSanitizer#sanitize. (CVE-2022-23520)

See Also

https://github.com/advisories/GHSA-rrfc-7g8p-99q8

Plugin Details

Severity: Medium

ID: 418897

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 2.3

Percentile: 8.67

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2022-23520

CVSS v3

Risk Factor: Medium

Base Score: 6.1

Temporal Score: 5.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 12/13/2022

Vulnerability Publication Date: 12/13/2022

Reference Information

CVE: CVE-2022-23520

cwe: CWE-79