CVE-2024-32463
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-32463
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-32463.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2024-32463
- Aliases
- Published
- 2024-04-17T16:15:09Z
- Modified
- 2024-10-08T04:10:53.939375Z
- Summary
- [none]
- Details
-
phlex is an open source framework for building object-oriented views in Ruby. There is a potential cross-site scripting (XSS) vulnerability that can be exploited via maliciously crafted user data. The filter to detect and prevent the use of the
javascript:URL scheme in thehrefattribute of an<a>tag could be bypassed with tab\tor newline\ncharacters between the characters of the protocol, e.g.java\tscript:. This vulnerability is fixed in 1.10.1, 1.9.2, 1.8.3, 1.7.2, 1.6.3, 1.5.3, and 1.4.2. Configuring a Content Security Policy that does not allowunsafe-inlinewould effectively prevent this vulnerability from being exploited. - References
-
- https://github.com/phlex-ruby/phlex/security/advisories/GHSA-g7xq-xv8c-h98c
- https://github.com/phlex-ruby/phlex/commit/9e3f5b980655817993682e409cbda72956d865cb
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#unsafe-inline