Miggo Logo

CVE-2022-23518: Improper neutralization of data URIs may allow XSS in rails-html-sanitizer

6.1

CVSS Score
3.1

Basic Information

EPSS Score
0.44197%
Published
12/13/2022
Updated
9/14/2023
KEV Status
No
Technology
TechnologyRuby

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
rails-html-sanitizerrubygems>= 1.0.3, < 1.4.41.4.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing data URI validation in rails-html-sanitizer's attribute scrubbing logic. The GitHub issue #135 specifically shows the PermitScrubber's scrub_attribute() method (lines 142-154 in scrubbers.rb) lacks the safe data URI checks present in Loofah's implementation. This allows XSS via crafted data:text/html and data:application/vnd.wap.xhtml+xml URIs. The test case demonstrates the sanitizer fails to remove dangerous data URIs in iframe src attributes when allowed tags/attributes are permitted.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

## Summ*ry r*ils-*tml-s*nitiz*r `>= *.*.*, < *.*.*` is vuln*r**l* to *ross-sit* s*riptin* vi* **t* URIs w**n us** in *om*in*tion wit* Loo*** `>= *.*.*`. ## Miti**tion Up*r*** to r*ils-*tml-s*nitiz*r `>= *.*.*`. ## S*v*rity T** m*int*in*rs **v*

Reasoning

T** vuln*r**ility st*ms *rom missin* **t* URI v*li**tion in `r*ils-*tml-s*nitiz*r`'s *ttri*ut* s*ru**in* lo*i*. T** *it*u* issu* #*** sp**i*i**lly s*ows t** `P*rmitS*ru***r`'s `s*ru*_*ttri*ut*()` m*t*o* (lin*s ***-*** in `s*ru***rs.r*`) l**ks t** s**