CVE-2022-24722

02.03.2022, 23:15

VIewComponent is a framework for building view components in Ruby on Rails. Versions prior to 2.31.2 and 2.49.1 contain a cross-site scripting vulnerability that has the potential to impact anyone using translations with the view_component gem. Data received via user input and passed as an interpolation argument to the `translate` method is not properly sanitized before display. Versions 2.31.2 and 2.49.1 have been released and fully mitigate the vulnerability. As a workaround, avoid passing user input to the `translate` function, or sanitize the inputs before passing them.

Cross-site Scripting

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	8.1 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
GitHub_M	CNA	8.1 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
CVE	ADP	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 56%

Vendor	Product	Version
github	viewcomponent	2.31.0 ≤ 𝑥 < 2.31.2
github	viewcomponent	2.32.0 ≤ 𝑥 < 2.49.1

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References

https://github.com/github/view_component/commit/3f82a6e62578ff6f361aba24a1feb2caccf83ff9

https://github.com/github/view_component/releases/tag/v2.31.2

https://github.com/github/view_component/releases/tag/v2.49.1

https://github.com/github/view_component/security/advisories/GHSA-cm9w-c4rj-r2cf

https://github.com/github/view_component/commit/3f82a6e62578ff6f361aba24a1feb2caccf83ff9

https://github.com/github/view_component/releases/tag/v2.31.2

https://github.com/github/view_component/releases/tag/v2.49.1

https://github.com/github/view_component/security/advisories/GHSA-cm9w-c4rj-r2cf