CVE-2024-21636

Name of the Vulnerable Software and Affected Versions view component versions prior to 3.9.0 and 2.83.0

Description The view component framework for Ruby on Rails has a cross-site scripting issue that can impact anyone rendering a component directly from a controller with the view component gem. This issue affects components that define a #call method, where the return value of the #call method is not sanitized and can include user-defined content. Additionally, the return value of the #output postamble method is not sanitized, leading to potential cross-site scripting issues.

Recommendations For versions prior to 3.9.0 and 2.83.0, sanitize the return value of #call as a workaround, for example by using html escape in the #call method. Upgrade to version 3.9.0 or 2.83.0 to fully mitigate both the #call and the #output postamble vulnerabilities.