Platform
ruby
Component
govuk_tech_docs
Opgelost in
3.3.1
3.3.1
CVE-2024-22048 describes a cross-site scripting (XSS) vulnerability affecting the govuktechdocs gem versions up to and including 3.3.0. This vulnerability allows malicious HTML code to be rendered in search results when indexed pages contain unsanitized HTML snippets. While the risk is considered low due to the requirement of code injection and limited rendering length, exploitation could lead to script execution within the context of the affected website. The vulnerability was published on April 11, 2023, and a fix is available in version 3.3.1.
The primary impact of CVE-2024-22048 lies in the potential for cross-site scripting (XSS) attacks. An attacker who can inject malicious HTML code into a page indexed by a site using the govuktechdocs gem could have that code rendered in search results. This could be used to execute arbitrary JavaScript in the user's browser when they view the search result, potentially leading to session hijacking, defacement of the search result, or redirection to malicious websites. The vulnerability's low risk rating stems from the difficulty of injecting malicious code and the limited length of the rendered snippet, which restricts the complexity of potential exploits. However, even limited XSS can be leveraged for phishing or to steal sensitive information.
CVE-2024-22048 is not currently listed on the CISA KEV catalog. Public proof-of-concept (POC) code is not widely available. The vulnerability's low severity rating and the requirement for code injection into indexed pages suggest a low probability of active exploitation. The vulnerability was disclosed publicly on April 11, 2023, alongside the release of the fix.
Websites and applications using the govuktechdocs gem versions 3.3.0 and earlier, particularly those with publicly accessible pages indexed by search engines, are at risk. Shared hosting environments where multiple websites share the same instance of the gem are also potentially vulnerable.
disclosure
patch
Exploit Status
EPSS
2.07% (84% percentiel)
The recommended mitigation for CVE-2024-22048 is to upgrade to version 3.3.1 or later of the govuktechdocs gem. If upgrading is not immediately feasible, consider implementing input sanitization measures on any user-controllable content that is included in pages indexed by search engines. This could involve using a robust HTML sanitization library to remove potentially malicious code. Additionally, review your website's search engine indexing configuration to ensure that sensitive or untrusted content is not being indexed. After upgrading, confirm the fix by manually injecting a simple HTML snippet (e.g., <script>alert('XSS')</script>) into a test page and verifying that it is not rendered in search results.
Actualiseer de govuk_tech_docs gem naar versie 3.3.1 of hoger. Dit zal de XSS-vulnerabiliteit oplossen. U kunt de gem actualiseren met het commando `gem update tech-docs-gem`.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2024-22048 is a cross-site scripting vulnerability in govuktechdocs versions up to 3.3.0, allowing unsanitized HTML to be rendered in search results.
You are affected if your project uses govuktechdocs version 3.3.0 or earlier and has pages indexed by search engines.
Upgrade to version 3.3.1 or later of the govuktechdocs gem. Implement input sanitization as a temporary workaround.
There is no widespread evidence of active exploitation at this time, but the potential remains due to the XSS nature of the vulnerability.
Refer to the official govuktechdocs release notes and security advisories for details: [https://github.com/alphagov/tech-docs-gem/releases/tag/v3.3.1](https://github.com/alphagov/tech-docs-gem/releases/tag/v3.3.1)
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je Gemfile.lock-bestand en we vertellen je direct of je getroffen bent.