CVE-2024-21636: 
Ruby vulnerability analysis and mitigation

A cross-site scripting (XSS) vulnerability was discovered in view_component, a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. The vulnerability affects versions prior to 3.9.0 and 2.83.0, and was disclosed on January 4, 2024. The issue impacts components that define a #call method instead of using a sidecar template, where the return value is not properly sanitized and can include user-defined content (GitHub Advisory).

The vulnerability occurs when a component is rendered directly from a controller, where the rendered string is not escaped and can become a vector for cross-site scripting attacks. The issue also extends to the return value of the #output_postamble method, which similarly lacks proper sanitization. The vulnerability has been assigned CVE-2024-21636 and received a CVSS v3.1 base score of 6.1 MEDIUM (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) (NVD).

When exploited, this vulnerability allows attackers to inject arbitrary JavaScript code through user-defined input, potentially leading to the exfiltration of sensitive information such as cookies to third parties. The vulnerability is particularly concerning when components are rendered directly by controllers, as the usual HTML escaping mechanisms provided by template handlers or ActionView are bypassed (GitHub PR).

The vulnerability has been fully mitigated in versions 3.9.0 and 2.83.0. As a workaround for affected versions, developers can manually sanitize the return value of #call using the html_escape method. For example: def call; html_escape("#{user_input}"); end (GitHub Advisory).

The security fix was initially planned only for version 3.x, but community feedback highlighted concerns about applications unable to upgrade due to breaking changes in version 3, leading to the backporting of the fix to version 2.x (GitHub PR).