CVE-2024-32464

Name of the Vulnerable Software and Affected Versions ActionText versions 7.1.0 through 7.1.3.3 ActionText version 7.2.0.beta1

Description The issue arises from instances of ActionText::Attachable::ContentAttachment included within a rich text area tag, which could potentially contain unsanitized HTML. This could lead to a potential cross-site scripting issue within the Trix editor.

Recommendations For ActionText versions 7.1.0 through 7.1.3.3, update to version 7.1.3.4 to resolve the issue. For ActionText version 7.2.0.beta1, update to version 7.2.0.beta2 to resolve the issue. As a temporary workaround, consider restricting access to the rich text area tag until a patch is applied. Apply the provided patch for the 7.1 series, action text content attachment xss 7 1 stable.patch, to aid in mitigating the issue for users who are not able to upgrade immediately.