CVE-2024-26143.yml

---
gem: actionpack
framework: rails
cve: 2024-26143
ghsa: 9822-6m93-xqf4
url: https://discuss.rubyonrails.org/t/possible-xss-vulnerability-in-action-controller/84947
title: Possible XSS Vulnerability in Action Controller
date: 2024-02-21
description: |
  There is a possible XSS vulnerability when using the translation helpers
  (`translate`, `t`, etc) in Action Controller. This vulnerability has been
  assigned the CVE identifier CVE-2024-26143.

  Versions Affected: >= 7.0.0
  Not affected: < 7.0.0
  Fixed Versions: 7.1.3.1, 7.0.8.1

  # Impact

  Applications using translation methods like `translate`, or `t` on a
  controller, with a key ending in “_html”, a `:default` key which contains
  untrusted user input, and the resulting string is used in a view, may be
  susceptible to an XSS vulnerability.

  For example, impacted code will look something like this:

  ```
  class ArticlesController < ApplicationController
    def show
      @message = t("message_html", default: untrusted_input)
      # The `show` template displays the contents of `@message`
    end
  end
  ```

  To reiterate the pre-conditions, applications must:

  * Use a translation function from a controller (i.e. *not* `I18n.t`, or
  `t` from a view)
  * Use a key that ends in `_html`
  * Use a default value where the default value is untrusted and unescaped input
  * Send the text to the victim (whether that’s part of a template, or a
    `render` call)

  All users running an affected release should either upgrade or use one of the workarounds immediately.

  # Releases

  The fixed releases are available at the normal locations.

  # Workarounds

  There are no feasible workarounds for this issue.
cvss_v3: 6.1
unaffected_versions:
  - "< 7.0.0"
patched_versions:
  - "~> 7.0.8, >= 7.0.8.1"
  - ">= 7.1.3.1"