CVE-2022-32209: 
Ruby vulnerability analysis and mitigation

A possible XSS (Cross-Site Scripting) vulnerability was discovered in Rails::Html::Sanitizer, a library responsible for sanitizing HTML fragments in Rails applications. The vulnerability (CVE-2022-32209) was identified in versions prior to 1.4.3 and allows attackers to inject content if the application developer has overridden the sanitizer's allowed tags to permit both 'select' and 'style' elements (NVD, Debian Security).

The vulnerability exists when specific configurations of Rails::Html::Sanitizer are used, particularly when the sanitizer's allowed tags are overridden to include both 'select' and 'style' elements. The issue received a CVSS v3.1 Base Score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating a network-accessible vulnerability requiring user interaction (NVD).

If exploited, this vulnerability could allow attackers to perform cross-site scripting (XSS) attacks, potentially leading to the injection of malicious content into web applications using the affected Rails::Html::Sanitizer versions. The impact is limited to applications that have specifically overridden the allowed tags configuration (NVD).

The vulnerability was patched in version 1.4.3. For users unable to upgrade immediately, a workaround is available: remove either 'select' or 'style' from the overridden allowed tags. It's important to note that code is not impacted if allowed tags are overridden using either the :tags option to the Action View helper method sanitize or the :tags option to the instance method SafeListSanitizer#sanitize (NVD).