CVE-2024-21636 - Vulnerability Details - OpenCVE

view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. Versions prior to 3.9.0 and 2.83.0 have a cross-site scripting vulnerability that has the potential to impact anyone rendering a component directly from a controller with the view_component gem. Note that only components that define a `#call` method (i.e. instead of using a sidecar template) are affected. The return value of the `#call` method is not sanitized and can include user-defined content. In addition, the return value of the `#output_postamble` methodis not sanitized, which can also lead to cross-site scripting issues. Versions 3.9.0 and 2.83.0 have been released and fully mitigate both the `#call` and the `#output_postamble` vulnerabilities. As a workaround, sanitize the return value of `#call`.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Viewcomponent	View Component

Configuration 1 [-]

OR	cpe:2.3:a:viewcomponent:view_component::::::ruby::*
	cpe:2.3:a:viewcomponent:view_component::::::ruby::*

No data.

References

Link	Providers
https://github.com/ViewComponent/view_component/commit/0d26944a8d2730ea40e60eae23d70684483e5017
https://github.com/ViewComponent/view_component/commit/c43d8bafa7117cbce479669a423ab266de150697
https://github.com/ViewComponent/view_component/pull/1950
https://github.com/ViewComponent/view_component/pull/1962
https://github.com/ViewComponent/view_component/security/advisories/GHSA-wf2x-8w6j-qw37

History

Tue, 17 Jun 2025 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-01-04T20:09:08.564Z

Updated: 2025-06-17T20:29:11.989Z

Reserved: 2023-12-29T03:00:44.957Z

Link: CVE-2024-21636

Vulnrichment

Updated: 2024-08-01T22:27:35.781Z

NVD

Status : Modified

Published: 2024-01-04T20:15:25.300

Modified: 2024-11-21T08:54:46.410

Link: CVE-2024-21636

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-21636", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-12-29T03:00:44.957Z", "datePublished": "2024-01-04T20:09:08.564Z", "dateUpdated": "2025-06-17T20:29:11.989Z"}, "containers": {"cna": {"title": "view_component Cross-site Scripting vulnerability", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/ViewComponent/view_component/security/advisories/GHSA-wf2x-8w6j-qw37", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ViewComponent/view_component/security/advisories/GHSA-wf2x-8w6j-qw37"}, {"name": "https://github.com/ViewComponent/view_component/pull/1950", "tags": ["x_refsource_MISC"], "url": "https://github.com/ViewComponent/view_component/pull/1950"}, {"name": "https://github.com/ViewComponent/view_component/pull/1962", "tags": ["x_refsource_MISC"], "url": "https://github.com/ViewComponent/view_component/pull/1962"}, {"name": "https://github.com/ViewComponent/view_component/commit/0d26944a8d2730ea40e60eae23d70684483e5017", "tags": ["x_refsource_MISC"], "url": "https://github.com/ViewComponent/view_component/commit/0d26944a8d2730ea40e60eae23d70684483e5017"}, {"name": "https://github.com/ViewComponent/view_component/commit/c43d8bafa7117cbce479669a423ab266de150697", "tags": ["x_refsource_MISC"], "url": "https://github.com/ViewComponent/view_component/commit/c43d8bafa7117cbce479669a423ab266de150697"}], "affected": [{"vendor": "ViewComponent", "product": "view_component", "versions": [{"version": ">= 3.0.0, < 3.9.0", "status": "affected"}, {"version": "< 2.83.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-01-09T15:49:12.734Z"}, "descriptions": [{"lang": "en", "value": "view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. Versions prior to 3.9.0 and 2.83.0 have a cross-site scripting vulnerability that has the potential to impact anyone rendering a component directly from a controller with the view_component gem. Note that only components that define a `#call` method (i.e. instead of using a sidecar template) are affected. The return value of the `#call` method is not sanitized and can include user-defined content. In addition, the return value of the `#output_postamble` methodis not sanitized, which can also lead to cross-site scripting issues. Versions 3.9.0 and 2.83.0 have been released and fully mitigate both the `#call` and the `#output_postamble` vulnerabilities. As a workaround, sanitize the return value of `#call`."}], "source": {"advisory": "GHSA-wf2x-8w6j-qw37", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:27:35.781Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/ViewComponent/view_component/security/advisories/GHSA-wf2x-8w6j-qw37", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/ViewComponent/view_component/security/advisories/GHSA-wf2x-8w6j-qw37"}, {"name": "https://github.com/ViewComponent/view_component/pull/1950", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/ViewComponent/view_component/pull/1950"}, {"name": "https://github.com/ViewComponent/view_component/pull/1962", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/ViewComponent/view_component/pull/1962"}, {"name": "https://github.com/ViewComponent/view_component/commit/0d26944a8d2730ea40e60eae23d70684483e5017", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/ViewComponent/view_component/commit/0d26944a8d2730ea40e60eae23d70684483e5017"}, {"name": "https://github.com/ViewComponent/view_component/commit/c43d8bafa7117cbce479669a423ab266de150697", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/ViewComponent/view_component/commit/c43d8bafa7117cbce479669a423ab266de150697"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-21636", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-01-09T21:13:15.952519Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-17T20:29:11.989Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/ViewComponent/view_component/security/advisories/GHSA-wf2x-8w6j-qw37", "name": "https://github.com/ViewComponent/view_component/security/advisories/GHSA-wf2x-8w6j-qw37", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/ViewComponent/view_component/pull/1950", "name": "https://github.com/ViewComponent/view_component/pull/1950", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/ViewComponent/view_component/pull/1962", "name": "https://github.com/ViewComponent/view_component/pull/1962", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/ViewComponent/view_component/commit/0d26944a8d2730ea40e60eae23d70684483e5017", "name": "https://github.com/ViewComponent/view_component/commit/0d26944a8d2730ea40e60eae23d70684483e5017", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/ViewComponent/view_component/commit/c43d8bafa7117cbce479669a423ab266de150697", "name": "https://github.com/ViewComponent/view_component/commit/c43d8bafa7117cbce479669a423ab266de150697", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:27:35.781Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-21636", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-01-09T21:13:15.952519Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-17T20:25:16.512Z"}}], "cna": {"title": "view_component Cross-site Scripting vulnerability", "source": {"advisory": "GHSA-wf2x-8w6j-qw37", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "ViewComponent", "product": "view_component", "versions": [{"status": "affected", "version": ">= 3.0.0, < 3.9.0"}, {"status": "affected", "version": "< 2.83.0"}]}], "references": [{"url": "https://github.com/ViewComponent/view_component/security/advisories/GHSA-wf2x-8w6j-qw37", "name": "https://github.com/ViewComponent/view_component/security/advisories/GHSA-wf2x-8w6j-qw37", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/ViewComponent/view_component/pull/1950", "name": "https://github.com/ViewComponent/view_component/pull/1950", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/ViewComponent/view_component/pull/1962", "name": "https://github.com/ViewComponent/view_component/pull/1962", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/ViewComponent/view_component/commit/0d26944a8d2730ea40e60eae23d70684483e5017", "name": "https://github.com/ViewComponent/view_component/commit/0d26944a8d2730ea40e60eae23d70684483e5017", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/ViewComponent/view_component/commit/c43d8bafa7117cbce479669a423ab266de150697", "name": "https://github.com/ViewComponent/view_component/commit/c43d8bafa7117cbce479669a423ab266de150697", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. Versions prior to 3.9.0 and 2.83.0 have a cross-site scripting vulnerability that has the potential to impact anyone rendering a component directly from a controller with the view_component gem. Note that only components that define a `#call` method (i.e. instead of using a sidecar template) are affected. The return value of the `#call` method is not sanitized and can include user-defined content. In addition, the return value of the `#output_postamble` methodis not sanitized, which can also lead to cross-site scripting issues. Versions 3.9.0 and 2.83.0 have been released and fully mitigate both the `#call` and the `#output_postamble` vulnerabilities. As a workaround, sanitize the return value of `#call`."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-01-09T15:49:12.734Z"}}}, "cveMetadata": {"cveId": "CVE-2024-21636", "state": "PUBLISHED", "dateUpdated": "2025-06-17T20:29:11.989Z", "dateReserved": "2023-12-29T03:00:44.957Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-01-04T20:09:08.564Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:viewcomponent:view_component:*:*:*:*:*:ruby:*:*", "matchCriteriaId": "7E014569-73E5-4B59-8BC9-4EE2E2EE7F8E", "versionEndExcluding": "2.83.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:viewcomponent:view_component:*:*:*:*:*:ruby:*:*", "matchCriteriaId": "A7D836B9-1CF7-4AEA-9FC7-BA0EEFDE3465", "versionEndExcluding": "3.9.0", "versionStartIncluding": "3.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. Versions prior to 3.9.0 and 2.83.0 have a cross-site scripting vulnerability that has the potential to impact anyone rendering a component directly from a controller with the view_component gem. Note that only components that define a `#call` method (i.e. instead of using a sidecar template) are affected. The return value of the `#call` method is not sanitized and can include user-defined content. In addition, the return value of the `#output_postamble` methodis not sanitized, which can also lead to cross-site scripting issues. Versions 3.9.0 and 2.83.0 have been released and fully mitigate both the `#call` and the `#output_postamble` vulnerabilities. As a workaround, sanitize the return value of `#call`."}, {"lang": "es", "value": "view_component es un framework para crear componentes de vista reutilizables, comprobables y encapsulados en Ruby on Rails. Las versiones anteriores a la 3.9.0 tienen una vulnerabilidad de cross site scripting que tiene el potencial de afectar a cualquiera que renderice un componente directamente desde un controlador con la gema view_component. Tenga en cuenta que s\u00f3lo se ven afectados los componentes que definen un m\u00e9todo `#call` (es decir, en lugar de utilizar una plantilla complementaria). El valor de retorno del m\u00e9todo `#call` no est\u00e1 sanitizado y puede incluir contenido definido por el usuario. Adem\u00e1s, el valor de retorno del m\u00e9todo `#output_postamble` no est\u00e1 sanitizado, lo que tambi\u00e9n puede provocar problemas de cross site scripting. Se lanz\u00f3 la versi\u00f3n 3.9.0 y mitiga por completo las vulnerabilidades `#call` y `#output_postamble`. Como workaround, sanitice valor de retorno de `#call`."}], "id": "CVE-2024-21636", "lastModified": "2024-11-21T08:54:46.410", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-01-04T20:15:25.300", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/ViewComponent/view_component/commit/0d26944a8d2730ea40e60eae23d70684483e5017"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/ViewComponent/view_component/commit/c43d8bafa7117cbce479669a423ab266de150697"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Issue Tracking", "Patch"], "url": "https://github.com/ViewComponent/view_component/pull/1950"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/ViewComponent/view_component/pull/1962"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/ViewComponent/view_component/security/advisories/GHSA-wf2x-8w6j-qw37"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/ViewComponent/view_component/commit/0d26944a8d2730ea40e60eae23d70684483e5017"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/ViewComponent/view_component/commit/c43d8bafa7117cbce479669a423ab266de150697"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Issue Tracking", "Patch"], "url": "https://github.com/ViewComponent/view_component/pull/1950"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking"], "url": "https://github.com/ViewComponent/view_component/pull/1962"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://github.com/ViewComponent/view_component/security/advisories/GHSA-wf2x-8w6j-qw37"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}]}