Headline
GHSA-242p-4v39-2v8g: Cross-site Scripting (XSS) possible with maliciously formed HTML attribute names and values in Phlex
There is a potential cross-site scripting (XSS) vulnerability that can be exploited via maliciously crafted user data. This was due to improper case-sensitivity in the code that was meant to prevent these attacks.
Impact
If you render an <a>
tag with an href
attribute set to a user-provided link, that link could potentially execute JavaScript when clicked by another user.
a(href: user_profile) { "Profile" }
If you splat user-provided attributes when rendering any HTML or SVG tag, malicious event attributes could be included in the output, executing JavaScript when the events are triggered by another user.
h1(**JSON.parse(user_attributes))
Patches
Patches are available on RubyGems for all 1.x
minor versions. The patched versions are:
If you are on main
, it has been patched since aa50c60
Workarounds
Configuring a Content Security Policy that does not allow unsafe-inline
would effectively prevent this vulnerability from being exploited.
References
In addition to upgrading to a patched version of Phlex, we strongly recommend configuring a Content Security Policy header that does not allow unsafe-inline
. Here’s how you can configure a Content Security Policy header in Rails. https://guides.rubyonrails.org/security.html#content-security-policy-header
Skip to content
Actions
Automate any workflow
Packages
Host and manage packages
Security
Find and fix vulnerabilities
Codespaces
Instant dev environments
Copilot
Write better code with AI
Code review
Manage code changes
Issues
Plan and track work
Discussions
Collaborate outside of code
GitHub Sponsors
Fund open source developers
* The ReadME Project
GitHub community articles
- Pricing
Provide feedback
Saved searches****Use saved searches to filter your results more quickly
Sign up
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2024-28199
Cross-site Scripting (XSS) possible with maliciously formed HTML attribute names and values in Phlex
High severity GitHub Reviewed Published Mar 11, 2024 in phlex-ruby/phlex • Updated Mar 12, 2024
Package
Affected versions
= 1.9.0
>= 1.8.0, < 1.8.2
= 1.7.0
>= 1.6.0, < 1.6.2
>= 1.5.0, < 1.5.2
= 1.4.0
>= 1.3.0, < 1.3.3
>= 1.2.0, < 1.2.2
= 1.1.0
< 1.0.1
Patched versions
1.9.1
1.8.2
1.7.1
1.6.2
1.5.2
1.4.1
1.3.3
1.2.2
1.1.1
1.0.1
Description
Published to the GitHub Advisory Database
Mar 12, 2024
Last updated
Mar 12, 2024