First published: Wed Mar 02 2022(Updated: )
This is an XSS vulnerability that has the potential to impact anyone using translations with the view_component gem. Data received via user input and passed as an interpolation argument to the `translate` method is not properly sanitized before display. Versions 2.29.1 and 2.49.1 have been released and fully mitigate the vulnerability. Avoid passing user input to the `translate` function, or sanitize the inputs before passing them. ### For more information If you have any questions or comments about this advisory: * Open an issue in the [github/view_component](http://github.com/github/view_component) project
Credit: security-advisories@github.com security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
rubygems/view_component | >=2.32.0<2.49.1 | 2.49.1 |
rubygems/view_component | >=2.31.0<2.31.2 | 2.31.2 |
Github Viewcomponent | >=2.31.0<2.31.2 | |
Github Viewcomponent | >=2.32.0<2.49.1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-24722 is an XSS vulnerability in the view_component gem in Ruby on Rails.
CVE-2022-24722 has the potential to impact users of translations with the view_component gem by allowing malicious user input to be displayed without proper sanitization.
The severity of CVE-2022-24722 is high, with a CVSS score of 8.1.
To fix CVE-2022-24722, users should update to version 2.31.2 or higher of the view_component gem.
More information about CVE-2022-24722 can be found in the references provided: [GitHub Advisory](https://github.com/github/view_component/security/advisories/GHSA-cm9w-c4rj-r2cf), [GitHub Commit](https://github.com/github/view_component/commit/3f82a6e62578ff6f361aba24a1feb2caccf83ff9), [NVD](https://nvd.nist.gov/vuln/detail/CVE-2022-24722).