CVE-2022-32209
Published: 24 June 2022
Summary
CVE-2022-32209 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Fedoraproject Fedora. Its CVSS base score is 6.1 (Medium).
Operationally, ranked in the top 9.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2022-32209 is a cross-site scripting vulnerability in the Rails::Html::Sanitizer component of Ruby on Rails. It affects all versions of the sanitizer and is fixed in release 1.4.3. The flaw is triggered only when an application explicitly overrides the default set of allowed tags to include both the "select" and "style" elements, which can be done through Action View configuration, the sanitize helper, or direct use of SafeListSanitizer.
An unauthenticated remote attacker can exploit the issue by supplying crafted input that leverages the permitted tags to inject arbitrary content. Successful exploitation results in cross-site scripting with impacts on confidentiality and integrity, reflected in the CVSS 6.1 score and CWE-79 classification. The attack requires the victim to interact with the injected content and is possible only in applications that have performed the specific tag override.
Advisories recommend upgrading to the fixed version or applying the workaround of removing either "select" or "style" from any overridden allowed-tags list. Public references, including the original HackerOne report and distribution announcements from Debian and Fedora, document these steps and the responsible disclosure by windshock. The associated EPSS score has remained low with only minor fluctuation since publication.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-6111
Vulnerability details
# Possible XSS Vulnerability in Rails::Html::SanitizerThere is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.This vulnerability has been assigned the CVE identifier CVE-2022-32209.Versions Affected: ALLNot affected: NONEFixed Versions: v1.4.3## ImpactA possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer may…
more
allow an attacker to inject content if the application developer has overridden the sanitizer's allowed tags to allow both `select` and `style` elements.Code is only impacted if allowed tags are being overridden. This may be done via application configuration:```ruby# In config/application.rbconfig.action_view.sanitized_allowed_tags = ["select", "style"]```see https://guides.rubyonrails.org/configuring.html#configuring-action-viewOr it may be done with a `:tags` option to the Action View helper `sanitize`:```<%= sanitize @comment.body, tags: ["select", "style"] %>```see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitizeOr it may be done with Rails::Html::SafeListSanitizer directly:```ruby# class-level optionRails::Html::SafeListSanitizer.allowed_tags = ["select", "style"]```or```ruby# instance-level optionRails::Html::SafeListSanitizer.new.sanitize(@article.body, tags: ["select", "style"])```All users overriding the allowed tags by any of the above mechanisms to include both "select" and "style" should either upgrade or use one of the workarounds immediately.## ReleasesThe FIXED releases are available at the normal locations.## WorkaroundsRemove either `select` or `style` from the overridden allowed tags.## CreditsThis vulnerability was responsibly reported by [windshock](https://hackerone.com/windshock?type=user).
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.
Validates web inputs to reject script-related content that could produce XSS.
Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.