{
  "canonical_id": "rails--CVE-2024-26143",
  "system_id": "rails",
  "display_name": "Ruby on Rails",
  "category": "frameworks",
  "advisory_mode": "core",
  "title": "Rails has possible XSS Vulnerability in Action Controller",
  "summary": "# Possible XSS Vulnerability in Action Controller\n\nThere is a possible XSS vulnerability when using the translation helpers\n(`translate`, `t`, etc) in Action Controller. This vulnerability has been\nassigned the CVE identifier CVE-2024-26143.\n\nVersions Affected:  >= 7.0.0.\nNot affected:       < 7.0.0\nFixed Versions:     7.1.3.1, 7.0.8.1\n\nImpact\n------\nApplications using translation methods like `translate`, or `t` on a\ncontroller, with a key ending in \"_html\", a `:default` key which contains\nuntrusted user input, and the resulting string is used in a view, may be\nsusceptible to an XSS vulnerability.\n\nFor example, impacted code will look something like this:\n\n```ruby\nclass ArticlesController < ApplicationController\n  def show  \n    @message = t(\"message_html\", default: untrusted_input)\n    # The `show` template displays the contents of `@message`\n  end\nend\n```\n\nTo reiterate the pre-conditions, applications must:\n\n* Use a translation function from a controller (i.e. _not_ I18n.t, or `t` from\n  a view)\n* Use a key that ends in `_html`\n* Use a default value where the default value is untrusted and unescaped input\n* Send the text to the victim (whether that's part of a template, or a\n  `render` call)\n\nAll users running an affected release should either upgrade or use one of the\nworkarounds immediately.\n\nReleases\n--------\nThe fixed releases are available at the normal locations.\n\nWorkarounds\n-----------\nThere are no feasible workarounds for this issue.\n\nPatches\n-------\nTo aid users who aren't able to upgrade immediately we have provided patches for\nthe two supported release series. They are in git-am format and consist of a\nsingle changeset.\n\n*  7-0-translate-xss.patch - Patch for 7.0 series\n*  7-1-translate-xss.patch - Patch for 7.1 series\n\nCredits\n-------\n\nThanks to [ooooooo_q](https://hackerone.com/ooooooo_q) for the patch and fix!",
  "published_at": "2024-02-27T21:41:12Z",
  "updated_at": "2024-12-20T10:42:26.578616Z",
  "severity": "low",
  "cvss_score": 3.1,
  "exploit_status": "unknown",
  "source_confidence": "official",
  "official_source_url": "https://github.com/rails/rails/security/advisories/GHSA-9822-6m93-xqf4",
  "secondary_source_urls": [
    "https://nvd.nist.gov/vuln/detail/CVE-2024-26143",
    "https://github.com/rails/rails/commit/4c83b331092a79d58e4adffe4be5f250fa5782cc",
    "https://github.com/rails/rails/commit/5187a9ef51980ad1b8e81945ebe0462d28f84f9e",
    "https://discuss.rubyonrails.org/t/possible-xss-vulnerability-in-action-controller/84947",
    "https://github.com/rails/rails",
    "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-26143.yml",
    "https://security.netapp.com/advisory/ntap-20240510-0004"
  ],
  "aliases": [
    "BIT-rails-2024-26143",
    "CVE-2024-26143",
    "GHSA-9822-6m93-xqf4"
  ],
  "cve_ids": [
    "CVE-2024-26143"
  ],
  "ghsa_ids": [
    "GHSA-9822-6m93-xqf4"
  ],
  "osv_ids": [
    "GHSA-9822-6m93-xqf4"
  ],
  "affected_versions": [
    "7.0.0",
    "7.0.1",
    "7.0.2",
    "7.0.2.1",
    "7.0.2.2",
    "7.0.2.3",
    "7.0.2.4",
    "7.0.3",
    "7.0.3.1",
    "7.0.4",
    "7.0.4.1",
    "7.0.4.2",
    "7.0.4.3",
    "7.0.5",
    "7.0.5.1",
    "7.0.6",
    "7.0.7",
    "7.0.7.1",
    "7.0.7.2",
    "7.0.8",
    "7.1.0",
    "7.1.1",
    "7.1.2",
    "7.1.3",
    "introduced=7.0.0, fixed<7.0.8.1",
    "introduced=7.1.0, fixed<7.1.3.1"
  ],
  "fixed_versions": [
    "7.0.8.1",
    "7.1.3.1"
  ],
  "package_name": "rails",
  "render_markdown": true,
  "case_path": "07-framework-security/frameworks/rails/cases/rails-cve-2024-26143.md",
  "secure_code_topics": [
    "xss-output-encoding",
    "file-upload-validation",
    "authz-server-side-recheck"
  ],
  "status": "generated",
  "triage_reasons": [],
  "verification_status": "triage-manual",
  "verification_mode": "synthetic",
  "last_verified_at": null,
  "last_run_id": null,
  "evidence_bundle": null,
  "historical_status": null,
  "latest_status": null,
  "browser_evidence": {
    "required": false,
    "present": false,
    "refs": []
  },
  "repro_profile_id": "xss-generic",
  "artifact_mode": "synthetic",
  "blocked_reason": null,
  "metadata": {
    "source_names": [
      "OSV Rails"
    ],
    "source_kinds": [
      "osv-batch"
    ],
    "candidate_count": 1
  }
}