diff --git a/gems/govuk_tech_docs/CVE-2024-22048.yml b/gems/govuk_tech_docs/CVE-2024-22048.yml index fa1133c06b..4459e697d1 100644 --- a/gems/govuk_tech_docs/CVE-2024-22048.yml +++ b/gems/govuk_tech_docs/CVE-2024-22048.yml @@ -26,6 +26,7 @@ description: | ### Patches This has been fixed in v3.3.1. HTML is now sanitised in search results. +cvss_v3: 6.1 unaffected_versions: - "< 2.0.2" patched_versions: diff --git a/gems/govuk_tech_docs/GHSA-x2xw-hw8g-6773.yml b/gems/govuk_tech_docs/GHSA-x2xw-hw8g-6773.yml deleted file mode 100644 index 73d6782087..0000000000 --- a/gems/govuk_tech_docs/GHSA-x2xw-hw8g-6773.yml +++ /dev/null @@ -1,34 +0,0 @@ ---- -gem: govuk_tech_docs -ghsa: x2xw-hw8g-6773 -url: https://github.com/alphagov/tech-docs-gem/security/advisories/GHSA-x2xw-hw8g-6773 -title: govuk_tech_docs vulnerable to unescaped HTML on search results page -date: 2023-04-11 -description: | - Impact - Pages that are indexed in search results have their entire contents - indexed, including any HTML code snippets. These HTML snippets would - appear in the search results unsanitised, so it was possible to render - arbitrary HTML or run arbitrary scripts. - - This is a low risk security issue; to exploit it, an attacker would - need to find a way of committing malicious code to a page indexed by - a site that uses tech-docs-gem (which are typically not editable by - untrusted users). Their code would also be limited by the relatively - short length that's rendered in the corresponding search result. - Nevertheless, the XSS would then be triggerable by visiting a - pre-constructed URL (/search/index.html?q=some+search+term), which - users could be tricked into clicking on through social engineering. - - Patches - This has been fixed in v3.3.1. HTML is now sanitised in search results. -unaffected_versions: - - "< 2.0.2" -patched_versions: - - ">= 3.3.1" -related: - url: - - https://github.com/alphagov/tech-docs-gem/security/advisories/GHSA-x2xw-hw8g-6773 - - https://github.com/alphagov/tech-docs-gem/pull/323 - - https://github.com/alphagov/tech-docs-gem/releases/tag/v3.3.1 - - https://github.com/advisories/GHSA-x2xw-hw8g-6773