Recently I got a mail from GitHub with the the following Security advisory. Its say:
we found a vulnerable dependency in repositories you have security alert access to. Security Advisory GHSA-cfjv-5498-mph5
Rails version: 6.0.3.2
After doing some RnD and check attached link in mail. I get this issue is related to Action View's translation helpers.
This issue is occur When an HTML-unsafe string is passed as the default for a missing translation key named html or ending in _html
To fix this I update my rails version from 6.0.3.2 to 6.0.3.3
If you don't want to update your Rails version you can fix its impact by manually escaping default translations with the html_escape helper (aliased as h):
<%= t("welcome_html", default: h(untrusted_user_controlled_string)) %>
This issue is occurring at action_view version >= 6.0.0.0, <= 6.0.3.2 and <= 5.2.4.3
Resolved at 6.0.3.3 and 5.2.4.4
Reference: https://github.com/advisories/GHSA-cfjv-5498-mph5