CVE-2024-21636
January 04, 2024
view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. Versions prior to 3.9.0 and 2.83.0 have a cross-site scripting vulnerability that has the potential to impact anyone rendering a component directly from a controller with the view_component gem. Note that only components that define a "#call" method (i.e. instead of using a sidecar template) are affected. The return value of the "#call" method is not sanitized and can include user-defined content. In addition, the return value of the "#output_postamble" methodis not sanitized, which can also lead to cross-site scripting issues. Versions 3.9.0 and 2.83.0 have been released and fully mitigate both the "#call" and the "#output_postamble" vulnerabilities. As a workaround, sanitize the return value of "#call".
Affected Packages
view_component (RUBY):
Affected version(s) >=1.16.0 <2.83.0Fix Suggestion:
Update to version 2.83.0view_component (RUBY):
Affected version(s) >=3.0.0 <3.9.0Fix Suggestion:
Update to version 3.9.0Additional Notes
The description of this vulnerability differs from MITRE.
Related ResourcesĀ (8)
Do you need more information?
Contact UsCVSS v4
Base Score:
5.3
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
PASSIVE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
LOW
Vulnerable System Availability
NONE
Subsequent System Confidentiality
LOW
Subsequent System Integrity
LOW
Subsequent System Availability
NONE
CVSS v3
Base Score:
6.1
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality
LOW
Integrity
LOW
Availability
NONE
Weakness Type (CWE)
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
EPSS
Base Score:
0.50
