{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-19T06:04:07.738","vulnerabilities":[{"cve":{"id":"CVE-2024-21636","sourceIdentifier":"security-advisories@github.com","published":"2024-01-04T20:15:25.300","lastModified":"2024-11-21T08:54:46.410","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. Versions prior to 3.9.0 and 2.83.0 have a cross-site scripting vulnerability that has the potential to impact anyone rendering a component directly from a controller with the view_component gem. Note that only components that define a `#call` method (i.e. instead of using a sidecar template) are affected. The return value of the `#call` method is not sanitized and can include user-defined content. In addition, the return value of the `#output_postamble` methodis not sanitized, which can also lead to cross-site scripting issues. Versions 3.9.0 and 2.83.0 have been released and fully mitigate both the `#call` and the `#output_postamble` vulnerabilities. As a workaround, sanitize the return value of `#call`."},{"lang":"es","value":"view_component es un framework para crear componentes de vista reutilizables, comprobables y encapsulados en Ruby on Rails. Las versiones anteriores a la 3.9.0 tienen una vulnerabilidad de cross site scripting que tiene el potencial de afectar a cualquiera que renderice un componente directamente desde un controlador con la gema view_component. Tenga en cuenta que sólo se ven afectados los componentes que definen un método `#call` (es decir, en lugar de utilizar una plantilla complementaria). El valor de retorno del método `#call` no está sanitizado y puede incluir contenido definido por el usuario. Además, el valor de retorno del método `#output_postamble` no está sanitizado, lo que también puede provocar problemas de cross site scripting. Se lanzó la versión 3.9.0 y mitiga por completo las vulnerabilidades `#call` y `#output_postamble`. Como workaround, sanitice valor de retorno de `#call`."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","baseScore":6.1,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":2.7},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","baseScore":6.1,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":2.7}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-79"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:viewcomponent:view_component:*:*:*:*:*:ruby:*:*","versionEndExcluding":"2.83.0","matchCriteriaId":"7E014569-73E5-4B59-8BC9-4EE2E2EE7F8E"},{"vulnerable":true,"criteria":"cpe:2.3:a:viewcomponent:view_component:*:*:*:*:*:ruby:*:*","versionStartIncluding":"3.0.0","versionEndExcluding":"3.9.0","matchCriteriaId":"A7D836B9-1CF7-4AEA-9FC7-BA0EEFDE3465"}]}]}],"references":[{"url":"https://github.com/ViewComponent/view_component/commit/0d26944a8d2730ea40e60eae23d70684483e5017","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/ViewComponent/view_component/commit/c43d8bafa7117cbce479669a423ab266de150697","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/ViewComponent/view_component/pull/1950","source":"security-advisories@github.com","tags":["Exploit","Issue Tracking","Patch"]},{"url":"https://github.com/ViewComponent/view_component/pull/1962","source":"security-advisories@github.com","tags":["Issue Tracking"]},{"url":"https://github.com/ViewComponent/view_component/security/advisories/GHSA-wf2x-8w6j-qw37","source":"security-advisories@github.com","tags":["Vendor Advisory"]},{"url":"https://github.com/ViewComponent/view_component/commit/0d26944a8d2730ea40e60eae23d70684483e5017","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://github.com/ViewComponent/view_component/commit/c43d8bafa7117cbce479669a423ab266de150697","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://github.com/ViewComponent/view_component/pull/1950","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Exploit","Issue Tracking","Patch"]},{"url":"https://github.com/ViewComponent/view_component/pull/1962","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Issue Tracking"]},{"url":"https://github.com/ViewComponent/view_component/security/advisories/GHSA-wf2x-8w6j-qw37","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Vendor Advisory"]}]}}]}