YETI-1135: Critical Rails Security Patch Deployed for CVE-2022-22577 XSS Vulnerability

A critical security patch has been deployed to address a cross-site scripting (XSS) vulnerability in the Ruby on Rails framework, identified as CVE-2022-22577. The fix, tracked internally as YETI-1135, closes a potential attack vector within the Action Pack component, a core part of Rails that handles web requests and responses. The vulnerability, publicly disclosed by the Ruby security team, could allow attackers to inject malicious scripts. The development team has responded by upgrading the Rails dependency to the secure version 6.1.5.1, as mandated by the official security advisory.

The issue was documented in a GitHub commit that explicitly references the CVE and links to the official security announcement. The fix required updating two key gems: `actionpack` and `actionview`, both from version 6.1.4.7. The advisory warns that affected versions are widespread, spanning multiple major Rails releases (5.2.x, 6.0.x, 6.1.x), and provides a clear upgrade path to patched versions. The solution also included an update to the `rake` gem to version 12.2, likely for compatibility.

This patch is a mandatory update for any application using the vulnerable Rails versions. The 'Possible XSS' designation indicates a risk that could lead to data theft or session hijacking if exploited. While the criticality is listed as 'Unknown' in the source, the nature of XSS flaws in web application frameworks typically warrants immediate remediation. The commit signifies proactive maintenance, but it also serves as a public record of a security exposure that has now been closed within this codebase.