Cross-site Scripting (XSS) possible with maliciously formed HTML attribute names and values in Phlex
CVE-2024-32970

7.1HIGH

Key Information:

Vendor: Phlex-ruby
Status: Phlex
Vendor: CVE Published:; 30 April 2024

What is CVE-2024-32970?

The Phlex framework, predominantly used for constructing object-oriented views in Ruby, has been identified to contain a cross-site scripting (XSS) vulnerability. This vulnerability originates from flawed handling of user-supplied data which can lead to the execution of unsafe JavaScript when malicious links are clicked by unsuspecting users. The mechanism for filter escapes operated correctly; however, it did not account for the dangers posed by the permissive nature of modern browsers that can execute unsafe scripts through numerous HTML attribute channels. It is essential for users of Phlex to apply the recent patches available on RubyGems or implement a strong Content Security Policy (CSP) to mitigate the risk by disallowing unsafe-inline scripts. Given that the framework interfaces directly with user-generated content, it is paramount for developers to prioritize the implementation of security best practices.

Affected Version(s)

phlex < 1.9.3 < 1.9.3

phlex >= 1.10.0, < 1.10.2 < 1.10.0, 1.10.2

References

https://github.com/phlex-ruby/phlex/security/advisories/G...

x_refsource_CONFIRM

https://github.com/phlex-ruby/phlex/commit/da8f94342a84cf...

x_refsource_MISC

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers...

x_refsource_MISC

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 30, 2024

Phlex-ruby

What is CVE-2024-32970?

Affected Version(s)

References

CVSS V3.1

Timeline