-
-
Notifications
You must be signed in to change notification settings - Fork 220
/
Copy pathCVE-2024-32463.yml
55 lines (44 loc) · 2.33 KB
/
CVE-2024-32463.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
---
gem: phlex
cve: 2024-32463
ghsa: g7xq-xv8c-h98c
url: https://github.com/phlex-ruby/phlex/security/advisories/GHSA-g7xq-xv8c-h98c
title: Cross-site Scripting (XSS) possible due to improper sanitisation of `href` attributes on `<a>` tags
date: 2024-04-16
description: |
### Summary
There is a potential cross-site scripting (XSS) vulnerability that can be exploited via maliciously crafted user data.
Our filter to detect and prevent the use of the `javascript:` URL scheme in the `href` attribute of an `<a>` tag could be bypassed with tab `\t` or newline `\n` characters between the characters of the protocol, e.g. `java\tscript:`.
### Impact
If you render an `<a>` tag with an `href` attribute set to a user-provided link, that link could potentially execute JavaScript when clicked by another user.
```ruby
a(href: user_profile) { "Profile" }
```
### Mitigation
The best way to mitigate this vulnerability is to update to one of the following versions:
- [1.10.1](https://rubygems.org/gems/phlex/versions/1.10.1)
- [1.9.2](https://rubygems.org/gems/phlex/versions/1.9.2)
- [1.8.3](https://rubygems.org/gems/phlex/versions/1.8.3)
- [1.7.2](https://rubygems.org/gems/phlex/versions/1.7.2)
- [1.6.3](https://rubygems.org/gems/phlex/versions/1.6.3)
- [1.5.3](https://rubygems.org/gems/phlex/versions/1.5.3)
- [1.4.2](https://rubygems.org/gems/phlex/versions/1.4.2)
### Workarounds
Configuring a [Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy) that does not allow [`unsafe-inline`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#unsafe-inline) would effectively prevent this vulnerability from being exploited.
cvss_v3: 7.1
patched_versions:
- "~> 1.4.2"
- "~> 1.5.3"
- "~> 1.6.3"
- "~> 1.7.2"
- "~> 1.8.3"
- "~> 1.9.2"
- ">= 1.10.1"
related:
url:
- https://nvd.nist.gov/vuln/detail/CVE-2024-28199
- https://github.com/phlex-ruby/phlex/security/advisories/GHSA-g7xq-xv8c-h98c
- https://github.com/phlex-ruby/phlex/commit/9e3f5b980655817993682e409cbda72956d865cb
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#unsafe-inline
- https://github.com/advisories/GHSA-g7xq-xv8c-h98c