CVE-2024-26143

Name of the Vulnerable Software and Affected Versions Ruby on Rails versions prior to 7.1.3.1 Ruby on Rails versions prior to 7.0.8.1

Description There is a possible XSS vulnerability when using the translation helpers in Action Controller. Applications using translation methods like translate, or t on a controller, with a key ending in " html", a :default key which contains untrusted user input, and the resulting string is used in a view, may be susceptible to an XSS vulnerability. The vulnerability is related to the incorrect neutralization of input data during web page generation, which can allow an attacker to conduct cross-site scripting.

Recommendations For versions prior to 7.1.3.1, update to version 7.1.3.1 to fix the vulnerability. For versions prior to 7.0.8.1, update to version 7.0.8.1 to fix the vulnerability. As a temporary workaround, consider disabling the use of translation methods like translate or t on controllers with keys ending in " html" and default values containing untrusted user input, until a patch is available. Restrict access to the vulnerable translation helpers in Action Controller to minimize the risk of exploitation. Avoid using the :default key with untrusted user input in the affected translation methods until the issue is resolved.