CVE-2024-32463

Summary

phlex is an open source framework for building object-oriented views in Ruby. There is a potential cross-site scripting (XSS) vulnerability that can be exploited via maliciously crafted user data. The filter to detect and prevent the use of the javascript: URL scheme in the href attribute of an <a> tag could be bypassed with tab \t or newline \n characters between the characters of the protocol, e.g. java\tscript:. This vulnerability is fixed in 1.10.1, 1.9.2, 1.8.3, 1.7.2, 1.6.3, 1.5.3, and 1.4.2. Configuring a Content Security Policy that does not allow unsafe-inline would effectively prevent this vulnerability from being exploited.

Affected Software

VendorProductVersion RangeStatus
phlex-rubyphlex>= 1.10.0, < 1.10.1affected
phlex-rubyphlex>= 1.9.0, < 1.9.2affected
phlex-rubyphlex>= 1.8.0, < 1.8.3affected
phlex-rubyphlex>= 1.7.0, < 1.7.2affected
phlex-rubyphlex>= 1.6.0, < 1.6.3affected
phlex-rubyphlex>= 1.5.0, < 1.5.3affected
phlex-rubyphlex>= 1.4.0, < 1.4.2affected

Weaknesses

  • CWE-79: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References