Platform
ruby
Component
govuk_tech_docs
Fixed in
3.3.1
3.3.1
CVE-2024-22048 describes a cross-site scripting (XSS) vulnerability affecting the govuktechdocs gem versions up to and including 3.3.0. This vulnerability allows malicious HTML code to be rendered in search results when indexed pages contain unsanitized HTML snippets. While the risk is considered low due to the requirement of code injection and limited rendering length, exploitation could lead to script execution within the context of the affected website. The vulnerability was published on April 11, 2023, and a fix is available in version 3.3.1.
The primary impact of CVE-2024-22048 lies in the potential for cross-site scripting (XSS) attacks. An attacker who can inject malicious HTML code into a page indexed by a site using the govuktechdocs gem could have that code rendered in search results. This could be used to execute arbitrary JavaScript in the user's browser when they view the search result, potentially leading to session hijacking, defacement of the search result, or redirection to malicious websites. The vulnerability's low risk rating stems from the difficulty of injecting malicious code and the limited length of the rendered snippet, which restricts the complexity of potential exploits. However, even limited XSS can be leveraged for phishing or to steal sensitive information.
CVE-2024-22048 is not currently listed on the CISA KEV catalog. Public proof-of-concept (POC) code is not widely available. The vulnerability's low severity rating and the requirement for code injection into indexed pages suggest a low probability of active exploitation. The vulnerability was disclosed publicly on April 11, 2023, alongside the release of the fix.
Exploit Status
EPSS
2.07% (84% percentile)
The recommended mitigation for CVE-2024-22048 is to upgrade to version 3.3.1 or later of the govuktechdocs gem. If upgrading is not immediately feasible, consider implementing input sanitization measures on any user-controllable content that is included in pages indexed by search engines. This could involve using a robust HTML sanitization library to remove potentially malicious code. Additionally, review your website's search engine indexing configuration to ensure that sensitive or untrusted content is not being indexed. After upgrading, confirm the fix by manually injecting a simple HTML snippet (e.g., <script>alert('XSS')</script>) into a test page and verifying that it is not rendered in search results.
Actualice la gema govuk_tech_docs a la versión 3.3.1 o superior. Esto solucionará la vulnerabilidad XSS. Puede actualizar la gema usando el comando `gem update tech-docs-gem`.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-22048 is a cross-site scripting vulnerability in govuktechdocs versions up to 3.3.0, allowing unsanitized HTML to be rendered in search results.
You are affected if your project uses govuktechdocs version 3.3.0 or earlier and has pages indexed by search engines.
Upgrade to version 3.3.1 or later of the govuktechdocs gem. Implement input sanitization as a temporary workaround.
There is no widespread evidence of active exploitation at this time, but the potential remains due to the XSS nature of the vulnerability.
Refer to the official govuktechdocs release notes and security advisories for details: [https://github.com/alphagov/tech-docs-gem/releases/tag/v3.3.1](https://github.com/alphagov/tech-docs-gem/releases/tag/v3.3.1)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your Gemfile.lock file and we'll tell you instantly if you're affected.