High severityNVD Advisory· Published Mar 2, 2022· Updated Apr 23, 2025
Cross-site Scripting in view_component
CVE-2022-24722
Description
VIewComponent is a framework for building view components in Ruby on Rails. Versions prior to 2.31.2 and 2.49.1 contain a cross-site scripting vulnerability that has the potential to impact anyone using translations with the view_component gem. Data received via user input and passed as an interpolation argument to the translate method is not properly sanitized before display. Versions 2.31.2 and 2.49.1 have been released and fully mitigate the vulnerability. As a workaround, avoid passing user input to the translate function, or sanitize the inputs before passing them.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
view_componentRubyGems | >= 2.31.0, < 2.31.2 | 2.31.2 |
view_componentRubyGems | >= 2.32.0, < 2.49.1 | 2.49.1 |
Affected products
2- github/view_componentv5Range: >= 2.31.0, < 2.31.2
Patches
Vulnerability mechanics
References
7- github.com/advisories/GHSA-cm9w-c4rj-r2cfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-24722ghsaADVISORY
- github.com/github/view_component/commit/3f82a6e62578ff6f361aba24a1feb2caccf83ff9ghsax_refsource_MISCWEB
- github.com/github/view_component/releases/tag/v2.31.2ghsax_refsource_MISCWEB
- github.com/github/view_component/releases/tag/v2.49.1ghsax_refsource_MISCWEB
- github.com/github/view_component/security/advisories/GHSA-cm9w-c4rj-r2cfghsax_refsource_CONFIRMWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/view_component/CVE-2022-24722.ymlghsaWEB
News mentions
0No linked articles in our index yet.