CVE-2024-32970: Phlex vulnerable to Cross-site Scripting (XSS) via maliciously formed HTML attribute names and values
There is a potential cross-site scripting (XSS) vulnerability that can be exploited via maliciously crafted user data.
The reason these issues were not detected before is the escapes were working as designed. However, their design didn’t take into account just how recklessly permissive browser are when it comes to executing unsafe JavaScript via HTML attributes.
References
- developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
- developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
- github.com/advisories/GHSA-9p57-h987-4vgx
- github.com/payloadbox/xss-payload-list
- github.com/phlex-ruby/phlex
- github.com/phlex-ruby/phlex/commit/da8f94342a84cff9d78c98bcc3b3604ee2e577d2
- github.com/phlex-ruby/phlex/security/advisories/GHSA-9p57-h987-4vgx
- nvd.nist.gov/vuln/detail/CVE-2024-32970
- rubygems.org/gems/phlex
- rubygems.org/gems/phlex/versions/1.10.2
- rubygems.org/gems/phlex/versions/1.9.3
Detect and mitigate CVE-2024-32970 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →