Rafaelfranca

Name of the Vulnerable Software and Affected Versions: Bundler versions 1.16.0 through 2.2.9 Bundler versions 2.2.11 through 2.2.16 Description: The issue sometimes chooses a dependency source based on the highest gem version number. This means a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another private gem explicitly depended on by the application. Recommendations: For Bundler versions 1.16.0 through 2.2.9, consider updating to a version outside of this range to mitigate the risk. For Bundler versions 2.2.11 through 2.2.16, consider updating to a version outside of this range to mitigate the risk. As a temporary workaround, consider restricting the use of public gem sources to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** rails-html-sanitizer gem versions prior to 1.0.4 **Description** The issue allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments, potentially leading to an XSS attack on target applications. **Recommendations** For versions prior to 1.0.4, upgrade to version 1.0.4 or later to resolve the issue. As a temporary workaround, consider using one of the provided workarounds until an upgrade is possible.

**Name of the Vulnerable Software and Affected Versions** rails-html-sanitizer gem version 1.0.2 Ruby on Rails versions 4.2.x through 5.x **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via an HTML entity that is mishandled by the `Rails::Html::FullSanitizer` class. This enables attackers to execute malicious scripts on the client-side. **Recommendations** For rails-html-sanitizer gem version 1.0.2, update to a newer version to mitigate the risk. For Ruby on Rails versions 4.2.x through 5.x, ensure the rails-html-sanitizer gem is updated to a version that fixes the XSS vulnerability. As a temporary workaround, consider restricting the input allowed by the `Rails::Html::FullSanitizer` class to minimize the risk of exploitation.