CVE-2024-21636

Exploit

EPSS 0.5%
Veröffentlicht 04.01.2024 20:15:25
Zuletzt bearbeitet 21.11.2024 08:54:46
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

view_component Cross-site Scripting vulnerability

view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. Versions prior to 3.9.0 and 2.83.0 have a cross-site scripting vulnerability that has the potential to impact anyone rendering a component directly from a controller with the view_component gem. Note that only components that define a `#call` method (i.e. instead of using a sidecar template) are affected. The return value of the `#call` method is not sanitized and can include user-defined content. In addition, the return value of the `#output_postamble` methodis not sanitized, which can also lead to cross-site scripting issues. Versions 3.9.0 and 2.83.0 have been released and fully mitigate both the `#call` and the `#output_postamble` vulnerabilities. As a workaround, sanitize the return value of `#call`.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 8

NVD 2 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Viewcomponent ≫ View Component SwPlatformruby Version < 2.83.0

Viewcomponent ≫ View Component SwPlatformruby Version >= 3.0.0 < 3.9.0

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.5%	0.385

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.1	2.8	2.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
security-advisories@github.com	6.1	2.8	2.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://github.com/ViewComponent/view_component/commit/0d26944a8d2730ea40e60eae23d70684483e5017

Patch

https://github.com/ViewComponent/view_component/commit/c43d8bafa7117cbce479669a423ab266de150697

Patch

https://github.com/ViewComponent/view_component/pull/1950

Patch

Exploit

Issue Tracking

https://github.com/ViewComponent/view_component/pull/1962

Issue Tracking

https://github.com/ViewComponent/view_component/security/advisories/GHSA-wf2x-8w6j-qw37

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-21636

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-21636

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-21636

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-21636