CVE-2024-32463: phlex makes Cross-site Scripting (XSS) possible due to improper sanitisation of `href` attributes on `<a>` tags
First published: Wed Apr 17 2024(Updated: )
### Summary There is a potential cross-site scripting (XSS) vulnerability that can be exploited via maliciously crafted user data. Our filter to detect and prevent the use of the `javascript:` URL scheme in the `href` attribute of an `<a>` tag could be bypassed with tab `\t` or newline `\n` characters between the characters of the protocol, e.g. `java\tscript:`. ### Impact If you render an `<a>` tag with an `href` attribute set to a user-provided link, that link could potentially execute JavaScript when clicked by another user. ```ruby a(href: user_profile) { "Profile" } ``` ### Mitigation The best way to mitigate this vulnerability is to update to one of the following versions: - [1.10.1](https://rubygems.org/gems/phlex/versions/1.10.1) - [1.9.2](https://rubygems.org/gems/phlex/versions/1.9.2) - [1.8.3](https://rubygems.org/gems/phlex/versions/1.8.3) - [1.7.2](https://rubygems.org/gems/phlex/versions/1.7.2) - [1.6.3](https://rubygems.org/gems/phlex/versions/1.6.3) - [1.5.3](https://rubygems.org/gems/phlex/versions/1.5.3) - [1.4.2](https://rubygems.org/gems/phlex/versions/1.4.2) ### Workarounds Configuring a [Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy) that does not allow [`unsafe-inline`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#unsafe-inline) would effectively prevent this vulnerability from being exploited.
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| rubygems/phlex | <1.4.2 | 1.4.2 |
| rubygems/phlex | >=1.5.0<1.5.3 | 1.5.3 |
| rubygems/phlex | >=1.6.0<1.6.3 | 1.6.3 |
| rubygems/phlex | >=1.7.0<1.7.2 | 1.7.2 |
| rubygems/phlex | >=1.8.0<1.8.3 | 1.8.3 |
| rubygems/phlex | >=1.9.0<1.9.2 | 1.9.2 |
| rubygems/phlex | =1.10.0 | 1.10.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/phlex-ruby/phlex/security/advisories/GHSA-g7xq-xv8c-h98c
- https://github.com/phlex-ruby/phlex/commit/9e3f5b980655817993682e409cbda72956d865cb
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#unsafe-inline
- https://nvd.nist.gov/vuln/detail/CVE-2024-32463
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/phlex/CVE-2024-32463.yml
- https://github.com/advisories/GHSA-g7xq-xv8c-h98c (Advisory)
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/type
- agent/severity
- agent/weakness
- agent/description
- agent/first-publish-date
- agent/softwarecombine
- agent/event
- collector/nvd-api
- source/NVD
- collector/nvd-cve
- agent/author
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-g7xq-xv8c-h98c
- alias/CVE-2024-32463
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/references
- agent/tags
- collector/epss-latest
- source/FIRST
- agent/epss
- collector/github-advisory
- package-manager/rubygems