logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2024-32463 phlex

Package

Manager: gem
Name: phlex
Vulnerable Version: =1.10.0 || >=1.10.0 <1.10.1 || >=1.9.0 <1.9.2 || >=1.8.0 <1.8.3 || >=1.7.0 <1.7.2 || >=1.6.0 <1.6.3 || >=1.5.0 <1.5.3 || >=0 <1.4.2

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00137 pctl0.34312

Details

Cross-site Scripting (XSS) possible due to improper sanitisation of `href` attributes on `<a>` tags ### Summary There is a potential cross-site scripting (XSS) vulnerability that can be exploited via maliciously crafted user data. Our filter to detect and prevent the use of the `javascript:` URL scheme in the `href` attribute of an `<a>` tag could be bypassed with tab `\t` or newline `\n` characters between the characters of the protocol, e.g. `java\tscript:`. ### Impact If you render an `<a>` tag with an `href` attribute set to a user-provided link, that link could potentially execute JavaScript when clicked by another user. ```ruby a(href: user_profile) { "Profile" } ``` ### Mitigation The best way to mitigate this vulnerability is to update to one of the following versions: - [1.10.1](https://rubygems.org/gems/phlex/versions/1.10.1) - [1.9.2](https://rubygems.org/gems/phlex/versions/1.9.2) - [1.8.3](https://rubygems.org/gems/phlex/versions/1.8.3) - [1.7.2](https://rubygems.org/gems/phlex/versions/1.7.2) - [1.6.3](https://rubygems.org/gems/phlex/versions/1.6.3) - [1.5.3](https://rubygems.org/gems/phlex/versions/1.5.3) - [1.4.2](https://rubygems.org/gems/phlex/versions/1.4.2) ### Workarounds Configuring a [Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy) that does not allow [`unsafe-inline`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#unsafe-inline) would effectively prevent this vulnerability from being exploited.

Metadata

Created: 2024-04-17T00:20:23Z
Modified: 2024-04-19T21:44:03Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-g7xq-xv8c-h98c/GHSA-g7xq-xv8c-h98c.json
CWE IDs: ["CWE-79", "CWE-87"]
Alternative ID: GHSA-g7xq-xv8c-h98c
Finding: F008
Auto approve: 1