CVE-2022-24722 Information

Jun 07, 2022 cve

Description

VIewComponent is a framework for building view components in Ruby on Rails. Versions prior to 2.31.2 and 2.49.1 contain a cross-site scripting vulnerability that has the potential to impact anyone using translations with the view_component gem. Data received via user input and passed as an interpolation argument to the translate method is not properly sanitized before display. Versions 2.31.2 and 2.49.1 have been released and fully mitigate the vulnerability. As a workaround avoid passing user input to the translate function or sanitize the inputs before passing them.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Reference

https://github.com/github/view_component/releases/tag/v2.31.2 https://github.com/github/view_component/security/advisories/GHSA-cm9w-c4rj-r2cf https://github.com/github/view_component/commit/3f82a6e62578ff6f361aba24a1feb2caccf83ff9 https://github.com/github/view_component/releases/tag/v2.49.1

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

REQUIRED

Confidentiality Impact

CHANGED

Integrity Impact

LOW

Availability Impact

LOW

Base Score

NONE

Base Severity

6.1

Share on: