Ruby on Rails Action Pack Debug Exceptions XSS Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in the Action Pack component of Ruby on Rails, specifically in versions 8.1 prior to 8.1.2.1. The issue arises because the debug exceptions page fails to properly escape exception messages. This flaw allows a carefully crafted exception message to inject arbitrary HTML and JavaScript into the page. The vulnerability affects applications with detailed exception pages enabled, which is the default setting in development.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, raise an exception that includes unescaped HTML, such as a script tag, in an application running Action Pack version 8.1 prior to 8.1.2.1. Ensure that the application has detailed exception pages enabled. When the exception is triggered, the injected HTML will be executed, demonstrating the XSS vulnerability.

Remediation

Users can upgrade to Action Pack version 8.1.2.1 or later, where this vulnerability has been patched.