CVE-2020-5267: 
Ruby vulnerability analysis and mitigation

A possible XSS vulnerability was discovered in ActionView's JavaScript literal escape helpers, tracked as CVE-2020-5267. The vulnerability affects all versions of ActionView before 6.0.2.2 and 5.2.4.2, where views using the j or escape_javascript methods could be susceptible to XSS attacks. The issue was disclosed on March 19, 2020, and was subsequently fixed in versions 6.0.2.2 and 5.2.4.2 (GitHub Advisory, OSS Security).

The vulnerability exists in the JavaScript literal escape helpers of ActionView, specifically in the j and escape_javascript methods. The issue stems from insufficient escaping of JavaScript string literals, particularly backticks and dollar signs. The vulnerability has a CVSS v3.1 Base Score of 4.8 (MEDIUM) with vector CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N (NVD).

When exploited, this vulnerability could allow attackers to execute cross-site scripting (XSS) attacks through JavaScript string literals in views that use the affected helper methods. The impact is particularly relevant when processing untrusted input through these helpers in JavaScript context (GitHub Advisory).

The primary mitigation is to upgrade to ActionView versions 6.0.2.2 or 5.2.4.2. For users unable to upgrade immediately, a monkey patch is available that adds proper escaping for backticks and dollar signs. The patch involves updating the JS_ESCAPE_MAP and modifying the escape_javascript method to handle these characters correctly (GitHub Advisory, Rails Commit).