GHSA-242p-4v39-2v8g

Suggest an improvement
Source
https://github.com/advisories/GHSA-242p-4v39-2v8g
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-242p-4v39-2v8g/GHSA-242p-4v39-2v8g.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-242p-4v39-2v8g
Aliases
Published
2024-03-12T15:39:46Z
Modified
2024-03-14T21:50:37.434787Z
Severity
  • 7.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N CVSS Calculator
Summary
Cross-site Scripting (XSS) possible with maliciously formed HTML attribute names and values in Phlex
Details

There is a potential cross-site scripting (XSS) vulnerability that can be exploited via maliciously crafted user data. This was due to improper case-sensitivity in the code that was meant to prevent these attacks.

Impact

If you render an <a> tag with an href attribute set to a user-provided link, that link could potentially execute JavaScript when clicked by another user.

a(href: user_profile) { "Profile" }

If you splat user-provided attributes when rendering any HTML or SVG tag, malicious event attributes could be included in the output, executing JavaScript when the events are triggered by another user.

h1(**JSON.parse(user_attributes))

Patches

Patches are available on RubyGems for all 1.x minor versions. The patched versions are:

If you are on main, it has been patched since aa50c60

Workarounds

Configuring a Content Security Policy that does not allow unsafe-inline would effectively prevent this vulnerability from being exploited.

References

In addition to upgrading to a patched version of Phlex, we strongly recommend configuring a Content Security Policy header that does not allow unsafe-inline. Here’s how you can configure a Content Security Policy header in Rails. https://guides.rubyonrails.org/security.html#content-security-policy-header

Database specific
{
    "nvd_published_at": "2024-03-11T23:15:47Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-12T15:39:46Z"
}
References

Affected packages

RubyGems / phlex

Package

Name
phlex
Purl
pkg:gem/phlex

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.9.0
Fixed
1.9.1

Affected versions

1.*

1.9.0

RubyGems / phlex

Package

Name
phlex
Purl
pkg:gem/phlex

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.8.0
Fixed
1.8.2

Affected versions

1.*

1.8.0
1.8.1

RubyGems / phlex

Package

Name
phlex
Purl
pkg:gem/phlex

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.7.0
Fixed
1.7.1

Affected versions

1.*

1.7.0

RubyGems / phlex

Package

Name
phlex
Purl
pkg:gem/phlex

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.6.0
Fixed
1.6.2

Affected versions

1.*

1.6.0
1.6.1

RubyGems / phlex

Package

Name
phlex
Purl
pkg:gem/phlex

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.5.0
Fixed
1.5.2

Affected versions

1.*

1.5.0
1.5.1

RubyGems / phlex

Package

Name
phlex
Purl
pkg:gem/phlex

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.4.0
Fixed
1.4.1

Affected versions

1.*

1.4.0

RubyGems / phlex

Package

Name
phlex
Purl
pkg:gem/phlex

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.3.0
Fixed
1.3.3

Affected versions

1.*

1.3.0
1.3.1
1.3.2

RubyGems / phlex

Package

Name
phlex
Purl
pkg:gem/phlex

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.2.0
Fixed
1.2.2

Affected versions

1.*

1.2.0
1.2.1

RubyGems / phlex

Package

Name
phlex
Purl
pkg:gem/phlex

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.1.0
Fixed
1.1.1

Affected versions

1.*

1.1.0

RubyGems / phlex

Package

Name
phlex
Purl
pkg:gem/phlex

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.0.1

Affected versions

0.*

0.1.0
0.2.0
0.2.1
0.2.2
0.3.0
0.3.1
0.3.2
0.4.0
0.5.0
0.5.1
0.5.2
0.5.3

1.*

1.0.0.rc1
1.0.0.rc2
1.0.0