logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2024-39308 rails_admin

Package

Manager: gem
Name: rails_admin
Vulnerable Version: >=3.0.0.beta <3.1.3

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N

EPSS: 0.02464 pctl0.84664

Details

RailsAdmin Cross-site Scripting vulnerability in the list view ### Impact RailsAdmin list view has the XSS vulnerability, caused by improperly-escaped HTML title attribute. The issue was originally reported in https://github.com/railsadminteam/rails_admin/issues/3686. ### Patches Upgrade to [3.1.4](https://rubygems.org/gems/rails_admin/versions/3.1.4). The vulnerability itself was patched in 3.1.3 but it has a functionality issue. Initially the vulnerability was thought to exist in versions before 3.0, but it didn't. 2.x users can stay on 2.2.1. ### Workarounds 1. Copy the index view (located under the path `app/views/rails_admin/main/index.html.erb`) from the RailsAdmin version you use, and place it into your application by using the same path. 2. Open the view file by an editor, and change the way to populate the td tag: ```diff <% properties.map{ |property| property.bind(:object, object) }.each do |property| %> <% value = property.pretty_value %> - <td class="<%= [property.sticky? && 'sticky', property.css_class, property.type_css_class].select(&:present?).join(' ') %>" title="<%= value %>"> + <%= content_tag(:td, class: [property.sticky? && 'sticky', property.css_class, property.type_css_class].select(&:present?), title: strip_tags(value.to_s)) do %> <%= value %> - </td> + <% end %> <% end %> ``` **Note:** The view file created by this needs to be removed after upgrading RailsAdmin afterwards, unless this old view continue to be used. Only do this if you can't upgrade RailsAdmin now for a reason. ### References https://owasp.org/www-community/attacks/xss/ https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-strip_tags

Metadata

Created: 2024-07-08T14:14:43Z
Modified: 2024-07-11T20:24:10Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-8qgm-g2vv-vwvc/GHSA-8qgm-g2vv-vwvc.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-8qgm-g2vv-vwvc
Finding: F008
Auto approve: 1