Headline
CVE-2022-3704: ¬ XSS within Route Error Page · Issue #46244 · rails/rails
A vulnerability classified as problematic has been found in Ruby on Rails. This affects an unknown part of the file actionpack/lib/action_dispatch/middleware/templates/routes/_table.html.erb. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The name of the patch is be177e4566747b73ff63fd5f529fab564e475ed4. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-212319.
After highlighting this issue to the Rails team via Hacker1, I was informed that this bug should be highlighted here upstream.
Whilst the issue is nothing critical, it is after all more of a self XSS, the ability to inject XSS attacks within the Rails framework is concerning. At a later date a vulnerability may be discovered that could leverage this issue or the code within this page could be reused elsewhere creating another attack vector that could be triggered by an attacker.
I am not an expert in Ruby or Rails and when I found this issue on a penetration test for a client, we discovered it was not an issue with the web application but one within Rails itself. The screenshot attached is therefore redacted of client identification.
Steps to reproduce
Request a page that does not have a matching routing to produce the Routing Error page.
Expected behavior
Expected behaviour is a error page with resources to help navigate the issue.
Actual behavior
Within the search box for Path, it is possible to create a XSS injection.
System configuration
Rails version:
No information on version from client
Ruby version:
No information on version from client.
Related news
actionpack from the Ruby on Rails project is vulnerable to Cross-site Scripting in the Route Error Page. This issue has been patched with this [commit](https://github.com/rails/rails/commit/be177e4566747b73ff63fd5f529fab564e475ed4). There are no known workarounds for this issue.