6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-23519

GHSA ID

GHSA-9h9g-93gc-623h

EPSS Score

0.3496%

CWE

CWE-79

Published

12/13/2022

Updated

2/13/2025

KEV Status

Technology

Ruby

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-23519

CVE-2022-23519: Possible XSS vulnerability with certain configurations of rails-html-sanitizer

Summary

There is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.

Versions affected: ALL
Not affected: NONE
Fixed versions: 1.4.4

Impact

A possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer may allow an attacker to inject content if the application developer has overridden the sanitizer's allowed tags in either of the following ways:

allow both "math" and "style" elements,
or allow both "svg" and "style" elements

Code is only impacted if allowed tags are being overridden. Applications may be doing this in four different ways:

using application configuration:

# In config/application.rb
config.action_view.sanitized_allowed_tags = ["math", "style"]
# or
config.action_view.sanitized_allowed_tags = ["svg", "style"]

see https://guides.rubyonrails.org/configuring.html#configuring-action-view

using a :tags option to the Action View helper sanitize:

<%= sanitize @comment.body, tags: ["math", "style"] %>
<%# or %>
<%= sanitize @comment.body, tags: ["svg", "style"] %>

see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize

using Rails::Html::SafeListSanitizer class method allowed_tags=:

# class-level option
Rails::Html::SafeListSanitizer.allowed_tags = ["math", "style"]
# or
Rails::Html::SafeListSanitizer.allowed_tags = ["svg", "style"]

using a :tags options to the Rails::Html::SafeListSanitizer instance method sanitize:

# instance-level option
Rails::Html::SafeListSanitizer.new.sanitize(@article.body, tags: ["math", "style"])
# or
Rails::Html::SafeListSanitizer.new.sanitize(@article.body, tags: ["svg", "style"])

All users overriding the allowed tags by any of the above mechanisms to include (("math" or "svg") and "style") should either upgrade or use one of the workarounds immediately.

Workarounds

Remove "style" from the overridden allowed tags, or remove "math" and "svg" from the overridden allowed tags.

References

CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)
https://hackerone.com/reports/1656627

Credit

This vulnerability was responsibly reported by Dominic Breuker.

(GitHub Advisory)

6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-23519

GHSA ID

GHSA-9h9g-93gc-623h

EPSS Score

0.3496%

CWE

CWE-79

Published

12/13/2022

Updated

2/13/2025

KEV Status

Technology

Ruby

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
rails-html-sanitizer	rubygems	< 1.4.4	1.4.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability manifests when specific tag combinations (math+style or svg+style) are allowed through four configuration mechanisms. Three functions are directly involved: 1) The sanitize() helper method with tags parameter, 2) The class-level allowed_tags setter, and 3) The SafeListSanitizer.sanitize() method with tags parameter. These functions become vulnerable vectors when misconfigured because they permit dangerous element combinations that bypass proper sanitization. The advisory explicitly identifies these as the impacted code paths, making confidence high.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

## Summ*ry T**r* is * possi*l* XSS vuln*r**ility wit* **rt*in *on*i*ur*tions o* R*ils::*tml::S*nitiz*r. - V*rsions *****t**: *LL - Not *****t**: NON* - *ix** v*rsions: *.*.* ## Imp**t * possi*l* XSS vuln*r**ility wit* **rt*in *on*i*ur*tions o* R

Reasoning

T** vuln*r**ility m*ni**sts w**n sp**i*i* t** *om*in*tions (m*t*+styl* or sv*+styl*) *r* *llow** t*rou** *our *on*i*ur*tion m****nisms. T*r** *un*tions *r* *ir**tly involv**: *) T** `s*nitiz*()` **lp*r m*t*o* wit* t**s p*r*m*t*r, *) T** *l*ss-l*v*l `

6.1

Basic Information

Concerned about an active attack path?

CVE-2022-23519: Possible XSS vulnerability with certain configurations of rails-html-sanitizer

Summary

Impact

Workarounds

References

Credit

6.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI