CVE-2024-39311

Source
https://cve.org/CVERecord?id=CVE-2024-39311
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-39311.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-39311
Aliases
Published
2025-03-28T14:38:03.816Z
Modified
2026-07-15T01:48:58.537786088Z
Severity
  • 1.8 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P CVSS Calculator
Summary
Publify Vulnerable To Cross-Site Scripting (XSS) Via Redirects Requiring User Interaction
Details

Publify is a self hosted Web publishing platform on Rails. Prior to version 10.0.1 of Publify, corresponding to versions prior to 10.0.2 of the publify_core rubygem, publisher on a publify application is able to perform a cross-site scripting (XSS) attack on an administrator using the redirect functionality. The exploitation of this XSS vulnerability requires the administrator to click a malicious link. An attack could attempt to hide their payload by using HTML, or other encodings, as to not make it obvious to an administrator that this is a malicious link. A publisher may attempt to use this vulnerability to escalate their privileges and become an administrator. Version 10.0.1 of Publify and version 10.0.2 of the publify_core rubygem fix the issue.

Database specific
{
    "cwe_ids": [
        "CWE-79"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/39xxx/CVE-2024-39311.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/publify/publify

Affected ranges

Type
GIT
Repo
https://github.com/publify/publify
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "cpe": "cpe:2.3:a:publify:publify:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "10.0.1"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE"
    ]
}

Affected versions

Other
5_3_0
release_5_1_98
release_5_2_0
release_5_2_98
release_5_4_0
release_5_4_1
release_5_4_4
release_5_5
release_6_0_0
release_6_0_1
release_6_0_2
release_6_0_3
release_6_0_4
release_6_0_6
release_6_0_7
release_6_0_9
release_6_1_0
release_6_1_1
release_6_1_2
release_6_1_3
release_6_1_4
release_7_0_0-beta1
6.*
6.9.0
7.*
7.0.0
7.1.0
release-1.*
release-1.6.7
release-5.*
release-5.0.3
release-5.0.3-no-rly
release-5.0.3.98
release-5.1
release-5.1.1
release-5.1.2
release-5.1.3
v10.*
v10.0.0
v8.*
v8.0
v8.0.1
v8.0.2
v8.1.0
v8.1.1
v8.2.0
v8.3.0
v8.3.1
v9.*
v9.0.0
v9.0.1
v9.1.0
v9.2.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-39311.json"