Vulnerabilities
Projects
Vulnerability Disclosure
About Us
Contact Us
Mend.io Vulnerability Database
What is a WS vulnerability ID?
What is an MSC vulnerability ID?
We found results for “”
CVE-2024-21636
Good to know:
Date: January 4, 2024
view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. Versions prior to 3.9.0 and 2.83.0 have a cross-site scripting vulnerability that has the potential to impact anyone rendering a component directly from a controller with the view_component gem. Note that only components that define a "#call" method (i.e. instead of using a sidecar template) are affected. The return value of the "#call" method is not sanitized and can include user-defined content. In addition, the return value of the "#output_postamble" methodis not sanitized, which can also lead to cross-site scripting issues. Versions 3.9.0 and 2.83.0 have been released and fully mitigate both the "#call" and the "#output_postamble" vulnerabilities. As a workaround, sanitize the return value of "#call".
Language: Ruby
Severity Score
Related Resources (9)
Severity Score
Weakness Type (CWE)
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-79Top Fix
CVSS v3.1
| Base Score: |
|
|---|---|
| Attack Vector (AV): | NETWORK |
| Attack Complexity (AC): | LOW |
| Privileges Required (PR): | NONE |
| User Interaction (UI): | REQUIRED |
| Scope (S): | CHANGED |
| Confidentiality (C): | LOW |
| Integrity (I): | LOW |
| Availability (A): | NONE |