Cross-Site Scripting (XSS) Vulnerability in Phlex Affects User-Provided Data
CVE-2024-28199

6.1MEDIUM

Key Information:

Vendor

Phlex-ruby

Status
Phlex
Vendor
CVE Published:
11 March 2024

What is CVE-2024-28199?

The Phlex framework, designed for creating object-oriented views in Ruby, is exposed to a potential cross-site scripting vulnerability due to improper case-sensitivity handling in its code. This flaw allows attackers to craft malicious user data that could execute JavaScript when a user clicks on an <a> tag containing a user-provided link. Additionally, if user-provided attributes are splatted when rendering HTML tags, it could lead to the inclusion of dangerous event attributes, resulting in unsanctioned JavaScript execution when triggered by another user. To mitigate this risk, users are strongly encouraged to apply the available patches from RubyGems for all 1.x minor versions. As an alternative to immediate upgrades, configuring a robust content security policy that disallows 'unsafe-inline' attributes is recommended.

Affected Version(s)

phlex = 1.9.0 = 1.9.0

phlex >= 1.8.0, < 1.8.2 < 1.8.0, 1.8.2

phlex = 1.7.0 = 1.7.0

References

https://github.com/phlex-ruby/phlex/security/advisories/G...
x_refsource_CONFIRM
https://github.com/phlex-ruby/phlex/commit/aa50c604cdee1d...
x_refsource_MISC
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers...
x_refsource_MISC

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.