diff --git a/gems/phlex/CVE-2024-32970.yml b/gems/phlex/CVE-2024-32970.yml new file mode 100644 index 0000000000..9812ce9fb4 --- /dev/null +++ b/gems/phlex/CVE-2024-32970.yml @@ -0,0 +1,75 @@ +--- +gem: phlex +cve: 2024-32970 +ghsa: 9p57-h987-4vgx +url: https://github.com/phlex-ruby/phlex/security/advisories/GHSA-9p57-h987-4vgx +title: Phlex vulnerable to Cross-site Scripting (XSS) via maliciously + formed HTML attribute names and values +date: 2024-05-01 +description: | + There is a potential cross-site scripting (XSS) vulnerability that + can be exploited via maliciously crafted user data. + + The reason these issues were not detected before is the escapes were + working as designed. However, their design didn't take into account + just how recklessly permissive browser are when it comes to executing + unsafe JavaScript via HTML attributes. + + ### Impact + + If you render an `` tag with an `href` attribute set to an + user-provided link, that link could potentially execute JavaScript + when clicked by another user. + + ```ruby + a(href: user_profile) { "Profile" } + ``` + + If you splat user-provided attributes when rendering any HTML or SVG + tag, malicious event attributes could be included in the output, + executing JavaScript when the events are triggered by another user. + + ```ruby + h1(**JSON.parse(user_attributes)) + ``` + + ### Patches + + Patches are [available on RubyGems](https://rubygems.org/gems/phlex) + for all minor versions released in the last year. + + - [1.10.2](https://rubygems.org/gems/phlex/versions/1.10.2) + - [1.9.3](https://rubygems.org/gems/phlex/versions/1.9.3) + + If you are on `main`, it has been patched since + [`da8f943`](https://github.com/phlex-ruby/phlex/commit/da8f94342a84cff9d78c98bcc3b3604ee2e577d2) + + ### Workarounds + + Configuring a [Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy) + that does not allow [`unsafe-inline`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#unsafe-inline) + would effectively prevent this vulnerability from being exploited. + + ### References + + In addition to upgrading to a patched version of Phlex, we strongly + recommend configuring a Content Security Policy header that does + not allow `unsafe-inline`. Here’s how you can configure a Content + Security Policy header in Rails. + https://guides.rubyonrails.org/security.html#content-security-policy-header +cvss_v3: 7.1 +patched_versions: + - "~> 1.9.3" + - ">= 1.10.2" +related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2024-32970 + - https://github.com/phlex-ruby/phlex/security/advisories/GHSA-9p57-h987-4vgx + - https://github.com/phlex-ruby/phlex/commit/da8f94342a84cff9d78c98bcc3b3604ee2e577d2 + - https://rubygems.org/gems/phlex + - https://rubygems.org/gems/phlex/versions/1.10.2 + - https://rubygems.org/gems/phlex/versions/1.9.3 + - https://github.com/payloadbox/xss-payload-list + - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy + - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#unsafe-inline + - https://github.com/advisories/GHSA-9p57-h987-4vgx