PT-2024-35999 · Rails+2 · Rails+2

Mokusou

Published

2024-12-02

Updated

2026-04-17

CVE-2024-53987

CVSS v2.0

6.4

Medium

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:N

Name of the Vulnerable Software and Affected Versions: rails-html-sanitizer version 1.6.0

Description: A possible XSS vulnerability exists with certain configurations of Rails::HTML::Sanitizer when used with Rails >= 7.1.0. This vulnerability may allow an attacker to inject content if HTML5 sanitization is enabled and the application developer has overridden the sanitizer's allowed tags where the style element is explicitly allowed and the svg or math element is not allowed.

Recommendations: For rails-html-sanitizer version 1.6.0, upgrade to version 1.6.1 to fix the vulnerability. As a temporary workaround, consider removing style from the overridden allowed tags or downgrading sanitization to HTML4.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

BDU:2025-04577

CVE-2024-53987

GHSA-2X5M-9CH4-QGRR

OPENSUSE-SU-2026:10569-1

Affected Products

Rails

Red Os

Rails-Html-Sanitizer

PT-2024-35999 · Rails+2 · Rails+2

CVE-2024-53987

Weakness Enumeration

Related Identifiers

Affected Products

References · 24