CVE-2024-32463

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-32463

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-32463.json

Aliases

GHSA-g7xq-xv8c-h98c

Published

2024-04-17T16:15:09Z

Modified

2024-05-14T13:11:05.434832Z

Summary

[none]

Details

phlex is an open source framework for building object-oriented views in Ruby. There is a potential cross-site scripting (XSS) vulnerability that can be exploited via maliciously crafted user data. The filter to detect and prevent the use of the javascript: URL scheme in the href attribute of an <a> tag could be bypassed with tab \t or newline \n characters between the characters of the protocol, e.g. java\tscript:. This vulnerability is fixed in 1.10.1, 1.9.2, 1.8.3, 1.7.2, 1.6.3, 1.5.3, and 1.4.2. Configuring a Content Security Policy that does not allow unsafe-inline would effectively prevent this vulnerability from being exploited.

References

Affected packages

Git / github.com/phlex-ruby/phlex

Affected ranges

Type: GIT
Repo: https://github.com/phlex-ruby/phlex
Events: Introduced

0The exact introduced commit is unknown

Fixed

9e3f5b980655817993682e409cbda72956d865cb

Affected versions

0.*

0.2.0

0.2.1

0.2.2

0.3.0

0.3.1

0.3.2

0.4.0

0.5.0

0.5.1

0.5.2

0.5.3

1.*

1.0.0

1.0.0.rc1

1.0.0.rc2

1.1.0

1.10.0

1.2.0

1.2.1

1.3.0

1.3.1

1.3.2

1.4.0

1.5.0

1.5.1

1.6.0

1.6.1

1.7.0

1.8.0

1.8.1

1.9.0