CVE-2018-3740

Name of the Vulnerable Software and Affected Versions Sanitize gem for Ruby versions prior to 4.6.3

Description The issue is related to errors in input data checking in the Sanitize library for Ruby. It can be exploited by a remote attacker to bypass restrictions on the use of HTML attributes, allowing non-whitelisted attributes to be used on whitelisted HTML elements. This can lead to HTML and JavaScript injection, potentially resulting in cross-site scripting (XSS) if the output is served to browsers.

Recommendations For Sanitize gem for Ruby versions prior to 4.6.3, update to version 4.6.3 or later to resolve the issue. As a temporary workaround, consider restricting the use of the Sanitize gem until a patch is available.