CVE-2024-22048: 
Ruby vulnerability analysis and mitigation

CVE-2024-22048 affects govuk_tech_docs versions from 2.0.2 to before 3.3.1. The vulnerability was discovered and disclosed in April 2023, with a patch released in version 3.3.1. This cross-site scripting (XSS) vulnerability affects the search results page of applications using the affected versions (GitHub Advisory).

The vulnerability stems from improper sanitization of HTML content in search results. Pages indexed in search results have their entire contents indexed, including HTML code snippets, which would appear unsanitized in the search results. This made it possible to render arbitrary HTML or execute malicious JavaScript code when search results are displayed (GitHub Advisory). The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (Medium) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (NVD).

The vulnerability allows potential execution of arbitrary HTML or JavaScript code through search results. While the impact is constrained by the limited length of search result snippets, successful exploitation could lead to cross-site scripting attacks when users visit specifically crafted search URLs (GitHub Advisory).

The vulnerability has been fixed in version 3.3.1 of govuk_tech_docs by implementing proper HTML sanitization in search results. Users should upgrade to this version or later to address the security issue (GitHub Release).