CVE-2024-53988: 
Ruby vulnerability analysis and mitigation

Rails-html-sanitizer version 1.6.0, when used with Rails >= 7.1.0, contains a Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered on December 2, 2024, and affects the HTML sanitization functionality in Rails applications. The issue specifically occurs when HTML5 sanitization is enabled and the application developer has overridden the sanitizer's allowed tags with specific configurations (GitHub Advisory).

The vulnerability occurs when HTML5 sanitization is enabled and the sanitizer's allowed tags are configured to include 'math', 'mtext', 'table', and 'style' elements along with either 'mglyph' or 'malignmark' tags. This specific combination of allowed tags creates a condition that can be exploited for XSS attacks. The issue has been assigned CVE-2024-53988 and is rated as Moderate severity with a CVSS 4.0 score of 2.3 (LOW) (NVD).

When successfully exploited, this vulnerability allows attackers to inject malicious content through XSS attacks in applications using the affected configurations. The impact is particularly significant for applications that have explicitly overridden the default sanitizer configuration to allow the specific combination of HTML tags that enable the vulnerability (GitHub Advisory).

The vulnerability has been fixed in version 1.6.1. For users unable to upgrade immediately, two workarounds are available: 1) Remove 'mglyph' and 'malignmark' from the overridden allowed tags, or 2) Downgrade sanitization to HTML4 by modifying the configuration for config.actionview.sanitizervendor and config.actiontext.sanitizervendor (GitHub Advisory).