प्लेटफ़ॉर्म
ruby
घटक
govuk_tech_docs
में ठीक किया गया
3.3.1
3.3.1
CVE-2024-22048 describes a cross-site scripting (XSS) vulnerability affecting the govuktechdocs gem versions up to and including 3.3.0. This vulnerability allows malicious HTML code to be rendered in search results when indexed pages contain unsanitized HTML snippets. While the risk is considered low due to the requirement of code injection and limited rendering length, exploitation could lead to script execution within the context of the affected website. The vulnerability was published on April 11, 2023, and a fix is available in version 3.3.1.
The primary impact of CVE-2024-22048 lies in the potential for cross-site scripting (XSS) attacks. An attacker who can inject malicious HTML code into a page indexed by a site using the govuktechdocs gem could have that code rendered in search results. This could be used to execute arbitrary JavaScript in the user's browser when they view the search result, potentially leading to session hijacking, defacement of the search result, or redirection to malicious websites. The vulnerability's low risk rating stems from the difficulty of injecting malicious code and the limited length of the rendered snippet, which restricts the complexity of potential exploits. However, even limited XSS can be leveraged for phishing or to steal sensitive information.
CVE-2024-22048 is not currently listed on the CISA KEV catalog. Public proof-of-concept (POC) code is not widely available. The vulnerability's low severity rating and the requirement for code injection into indexed pages suggest a low probability of active exploitation. The vulnerability was disclosed publicly on April 11, 2023, alongside the release of the fix.
Websites and applications using the govuktechdocs gem versions 3.3.0 and earlier, particularly those with publicly accessible pages indexed by search engines, are at risk. Shared hosting environments where multiple websites share the same instance of the gem are also potentially vulnerable.
disclosure
patch
एक्सप्लॉइट स्थिति
EPSS
2.07% (84% शतमक)
The recommended mitigation for CVE-2024-22048 is to upgrade to version 3.3.1 or later of the govuktechdocs gem. If upgrading is not immediately feasible, consider implementing input sanitization measures on any user-controllable content that is included in pages indexed by search engines. This could involve using a robust HTML sanitization library to remove potentially malicious code. Additionally, review your website's search engine indexing configuration to ensure that sensitive or untrusted content is not being indexed. After upgrading, confirm the fix by manually injecting a simple HTML snippet (e.g., <script>alert('XSS')</script>) into a test page and verifying that it is not rendered in search results.
govuk_tech_docs gem को संस्करण 3.3.1 या उच्चतर में अपडेट करें। यह XSS भेद्यता को ठीक कर देगा। आप `gem update tech-docs-gem` कमांड का उपयोग करके gem को अपडेट कर सकते हैं।
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2024-22048 is a cross-site scripting vulnerability in govuktechdocs versions up to 3.3.0, allowing unsanitized HTML to be rendered in search results.
You are affected if your project uses govuktechdocs version 3.3.0 or earlier and has pages indexed by search engines.
Upgrade to version 3.3.1 or later of the govuktechdocs gem. Implement input sanitization as a temporary workaround.
There is no widespread evidence of active exploitation at this time, but the potential remains due to the XSS nature of the vulnerability.
Refer to the official govuktechdocs release notes and security advisories for details: [https://github.com/alphagov/tech-docs-gem/releases/tag/v3.3.1](https://github.com/alphagov/tech-docs-gem/releases/tag/v3.3.1)
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
अपनी Gemfile.lock फ़ाइल अपलोड करें और तुरंत जानें कि आप प्रभावित हैं या नहीं।