6.1

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2022-23520

GHSA ID

GHSA-rrfc-7g8p-99q8

EPSS Score

0.55937%

CWE

CWE-79

Published

12/13/2022

Updated

2/13/2025

KEV Status

Technology

Ruby

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-23520

CVE-2022-23520: Possible XSS vulnerability with certain configurations of rails-html-sanitizer

Summary

There is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer. This is due to an incomplete fix of CVE-2022-32209.

Versions affected: ALL
Not affected: NONE
Fixed versions: 1.4.4

Impact

A possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer may allow an attacker to inject content if the application developer has overridden the sanitizer's allowed tags to allow both "select" and "style" elements.

Code is only impacted if allowed tags are being overridden using either of the following two mechanisms:

Using the Rails configuration config.action_view.sanitized_allow_tags=:

# In config/application.rb
config.action_view.sanitized_allowed_tags = ["select", "style"]

(see https://guides.rubyonrails.org/configuring.html#configuring-action-view)

Using the class method Rails::Html::SafeListSanitizer.allowed_tags=:

# class-level option
Rails::Html::SafeListSanitizer.allowed_tags = ["select", "style"]

All users overriding the allowed tags by either of the above mechanisms to include both "select" and "style" should either upgrade or use one of the workarounds immediately.

NOTE: Code is not impacted if allowed tags are overridden using either of the following mechanisms:

the :tags option to the Action View helper method sanitize.
the :tags option to the instance method SafeListSanitizer#sanitize.

Workarounds

Remove either "select" or "style" from the overridden allowed tags.

References

CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32209
https://hackerone.com/reports/1654310

Credit

This vulnerability was responsibly reported by Dominic Breuker.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2022-23520

CVE-2022-23520:

6.1

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2022-23520

GHSA ID

GHSA-rrfc-7g8p-99q8

EPSS Score

0.55937%

CWE

CWE-79

Published

12/13/2022

Updated

2/13/2025

KEV Status

Technology

Ruby

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
rails-html-sanitizer	rubygems	< 1.4.4	1.4.4

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability explicitly manifests when either: 1) the class method Rails::Html::SafeListSanitizer.allowed_tags= is used, or 2) the Rails config.action_view.sanitized_allowed_tags= configuration is set. Both mechanisms globally override sanitization allowlists without proper context isolation, creating XSS risk when both 'select' and 'style' tags are permitted. The advisory specifically identifies these two entry points as vulnerable configuration vectors while excluding instance-level and helper method overrides.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6.1

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2022-23520: Possible XSS vulnerability with certain configurations of rails-html-sanitizer

Summary

Impact

Workarounds

References

Credit

CVE-2022-23520:

6.1

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

6.1

6.1

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2022-23520: Possible XSS vulnerability with certain configurations of rails-html-sanitizer

Summary

Impact

Workarounds

References

Credit

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI