Vulnerability-Lookup

CVE-2024-28199 (GCVE-0-2024-28199)

Vulnerability from cvelistv5 – Published: 2024-03-11 22:50 – Updated: 2024-08-02 00:48

Title

Cross-site Scripting (XSS) possible with maliciously formed HTML attribute names and values in Phlex

Summary

phlex is an open source framework for building object-oriented views in Ruby. There is a potential cross-site scripting (XSS) vulnerability that can be exploited via maliciously crafted user data. This was due to improper case-sensitivity in the code that was meant to prevent these attacks. If you render an `<a>` tag with an `href` attribute set to a user-provided link, that link could potentially execute JavaScript when clicked by another user. If you splat user-provided attributes when rendering any HTML tag, malicious event attributes could be included in the output, executing JavaScript when the events are triggered by another user. Patches are available on RubyGems for all 1.x minor versions. Users are advised to upgrade. Users unable to upgrade should consider configuring a content security policy that does not allow `unsafe-inline`.

Severity ?

7.1 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Assigner

GitHub_M

References

URL

Tags

	https://github.com/phlex-ruby/phlex/security/advi…	x_refsource_CONFIRM
	https://github.com/phlex-ruby/phlex/commit/aa50c6…	x_refsource_MISC
	https://developer.mozilla.org/en-US/docs/Web/HTTP…	x_refsource_MISC
	https://developer.mozilla.org/en-US/docs/Web/HTTP…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	phlex-ruby	phlex	Affected: = 1.9.0 Affected: >= 1.8.0, < 1.8.2 Affected: = 1.7.0 Affected: >= 1.6.0, < 1.6.2 Affected: >= 1.5.0, < 1.5.2 Affected: = 1.4.0 Affected: >= 1.3.0, < 1.3.3 Affected: >= 1.2.0, < 1.2.2 Affected: = 1.1.0 Affected: < 1.0.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-28199",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-03-12T15:49:25.218232Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T18:03:58.780Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T00:48:49.443Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/phlex-ruby/phlex/security/advisories/GHSA-242p-4v39-2v8g",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/phlex-ruby/phlex/security/advisories/GHSA-242p-4v39-2v8g"
          },
          {
            "name": "https://github.com/phlex-ruby/phlex/commit/aa50c604cdee1d0ce7ef068a4c66cbd5d43f96a1",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/phlex-ruby/phlex/commit/aa50c604cdee1d0ce7ef068a4c66cbd5d43f96a1"
          },
          {
            "name": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy"
          },
          {
            "name": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#unsafe-inline",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#unsafe-inline"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "phlex",
          "vendor": "phlex-ruby",
          "versions": [
            {
              "status": "affected",
              "version": "= 1.9.0"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.8.0, \u003c 1.8.2"
            },
            {
              "status": "affected",
              "version": "= 1.7.0"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.6.0, \u003c 1.6.2"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.5.0, \u003c 1.5.2"
            },
            {
              "status": "affected",
              "version": "= 1.4.0"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.3.0, \u003c 1.3.3"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.2.0, \u003c 1.2.2"
            },
            {
              "status": "affected",
              "version": "= 1.1.0"
            },
            {
              "status": "affected",
              "version": "\u003c 1.0.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "phlex is an open source framework for building object-oriented views in Ruby. There is a potential cross-site scripting (XSS) vulnerability that can be exploited via maliciously crafted user data. This was due to improper case-sensitivity in the code that was meant to prevent these attacks. If you render an `\u003ca\u003e` tag with an `href` attribute set to a user-provided link, that link could potentially execute JavaScript when clicked by another user. If you splat user-provided attributes when rendering any HTML tag, malicious event attributes could be included in the output, executing JavaScript when the events are triggered by another user. Patches are available on RubyGems for all 1.x minor versions. Users are advised to upgrade. Users unable to upgrade should consider configuring a content security policy that does not allow `unsafe-inline`."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-03-11T22:50:38.789Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/phlex-ruby/phlex/security/advisories/GHSA-242p-4v39-2v8g",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/phlex-ruby/phlex/security/advisories/GHSA-242p-4v39-2v8g"
        },
        {
          "name": "https://github.com/phlex-ruby/phlex/commit/aa50c604cdee1d0ce7ef068a4c66cbd5d43f96a1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/phlex-ruby/phlex/commit/aa50c604cdee1d0ce7ef068a4c66cbd5d43f96a1"
        },
        {
          "name": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy"
        },
        {
          "name": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#unsafe-inline",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#unsafe-inline"
        }
      ],
      "source": {
        "advisory": "GHSA-242p-4v39-2v8g",
        "discovery": "UNKNOWN"
      },
      "title": "Cross-site Scripting (XSS) possible with maliciously formed HTML attribute names and values in Phlex"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-28199",
    "datePublished": "2024-03-11T22:50:38.789Z",
    "dateReserved": "2024-03-06T17:35:00.860Z",
    "dateUpdated": "2024-08-02T00:48:49.443Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "descriptions": "[{\"lang\": \"en\", \"value\": \"phlex is an open source framework for building object-oriented views in Ruby. There is a potential cross-site scripting (XSS) vulnerability that can be exploited via maliciously crafted user data. This was due to improper case-sensitivity in the code that was meant to prevent these attacks. If you render an `\u003ca\u003e` tag with an `href` attribute set to a user-provided link, that link could potentially execute JavaScript when clicked by another user. If you splat user-provided attributes when rendering any HTML tag, malicious event attributes could be included in the output, executing JavaScript when the events are triggered by another user. Patches are available on RubyGems for all 1.x minor versions. Users are advised to upgrade. Users unable to upgrade should consider configuring a content security policy that does not allow `unsafe-inline`.\"}, {\"lang\": \"es\", \"value\": \"Phlex es un framework de c\\u00f3digo abierto para crear vistas orientadas a objetos en Ruby. Existe una posible vulnerabilidad de secuencias de comandos entre sitios (XSS) que puede explotarse mediante datos de usuario creados con fines malintencionados. Esto se debi\\u00f3 a una distinci\\u00f3n inadecuada entre may\\u00fasculas y min\\u00fasculas en el c\\u00f3digo destinado a prevenir estos ataques. Si representa una etiqueta `\u003ca rel=\\\"nofollow\\\"\u003e` con un atributo `href` establecido en un enlace proporcionado por el usuario, ese enlace podr\\u00eda potencialmente ejecutar JavaScript cuando otro usuario haga clic en \\u00e9l. Si agrega atributos proporcionados por el usuario al representar cualquier etiqueta HTML, se podr\\u00edan incluir atributos de eventos maliciosos en la salida, ejecutando JavaScript cuando los eventos sean activados por otro usuario. Los parches est\\u00e1n disponibles en RubyGems para todas las versiones menores 1.x. Se recomienda a los usuarios que actualicen. Los usuarios que no puedan actualizar deben considerar configurar una pol\\u00edtica de seguridad de contenido que no permita \\\"inseguro en l\\u00ednea\\\".\u003c/a\u003e\"}]",
      "id": "CVE-2024-28199",
      "lastModified": "2024-11-21T09:06:00.800",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N\", \"baseScore\": 7.1, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 4.2}]}",
      "published": "2024-03-11T23:15:47.333",
      "references": "[{\"url\": \"https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#unsafe-inline\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/phlex-ruby/phlex/commit/aa50c604cdee1d0ce7ef068a4c66cbd5d43f96a1\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/phlex-ruby/phlex/security/advisories/GHSA-242p-4v39-2v8g\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#unsafe-inline\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://github.com/phlex-ruby/phlex/commit/aa50c604cdee1d0ce7ef068a4c66cbd5d43f96a1\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://github.com/phlex-ruby/phlex/security/advisories/GHSA-242p-4v39-2v8g\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Awaiting Analysis",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-79\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-28199\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-03-11T23:15:47.333\",\"lastModified\":\"2025-04-23T17:29:58.553\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"phlex is an open source framework for building object-oriented views in Ruby. There is a potential cross-site scripting (XSS) vulnerability that can be exploited via maliciously crafted user data. This was due to improper case-sensitivity in the code that was meant to prevent these attacks. If you render an `\u003ca\u003e` tag with an `href` attribute set to a user-provided link, that link could potentially execute JavaScript when clicked by another user. If you splat user-provided attributes when rendering any HTML tag, malicious event attributes could be included in the output, executing JavaScript when the events are triggered by another user. Patches are available on RubyGems for all 1.x minor versions. Users are advised to upgrade. Users unable to upgrade should consider configuring a content security policy that does not allow `unsafe-inline`.\"},{\"lang\":\"es\",\"value\":\"Phlex es un framework de c\u00f3digo abierto para crear vistas orientadas a objetos en Ruby. Existe una posible vulnerabilidad de secuencias de comandos entre sitios (XSS) que puede explotarse mediante datos de usuario creados con fines malintencionados. Esto se debi\u00f3 a una distinci\u00f3n inadecuada entre may\u00fasculas y min\u00fasculas en el c\u00f3digo destinado a prevenir estos ataques. Si representa una etiqueta `\u003ca rel=\\\"nofollow\\\"\u003e` con un atributo `href` establecido en un enlace proporcionado por el usuario, ese enlace podr\u00eda potencialmente ejecutar JavaScript cuando otro usuario haga clic en \u00e9l. Si agrega atributos proporcionados por el usuario al representar cualquier etiqueta HTML, se podr\u00edan incluir atributos de eventos maliciosos en la salida, ejecutando JavaScript cuando los eventos sean activados por otro usuario. Los parches est\u00e1n disponibles en RubyGems para todas las versiones menores 1.x. Se recomienda a los usuarios que actualicen. Los usuarios que no puedan actualizar deben considerar configurar una pol\u00edtica de seguridad de contenido que no permita \\\"inseguro en l\u00ednea\\\".\u003c/a\u003e\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N\",\"baseScore\":7.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":4.2},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:phlex:phlex:*:*:*:*:*:ruby:*:*\",\"versionEndExcluding\":\"1.0.1\",\"matchCriteriaId\":\"B2BF28C1-9D36-460D-9030-2ECDB054ADB1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:phlex:phlex:*:*:*:*:*:ruby:*:*\",\"versionStartIncluding\":\"1.2.0\",\"versionEndExcluding\":\"1.2.2\",\"matchCriteriaId\":\"8A30CE8F-C58A-4851-8DB2-0724D67A0E58\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:phlex:phlex:*:*:*:*:*:ruby:*:*\",\"versionStartIncluding\":\"1.3.0\",\"versionEndExcluding\":\"1.3.3\",\"matchCriteriaId\":\"91BCB672-57E6-47E2-9174-011BB8B9D08E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:phlex:phlex:1.1.0:*:*:*:*:ruby:*:*\",\"matchCriteriaId\":\"A1724DBB-7DC6-43F3-BA3D-C05FCECD1D3C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:phlex:phlex:1.4.0:*:*:*:*:ruby:*:*\",\"matchCriteriaId\":\"8E46CC01-3CD3-491D-8046-B5C5B740B7C9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:phlex:phlex:1.7.0:*:*:*:*:ruby:*:*\",\"matchCriteriaId\":\"10E33F7C-8D3F-4182-A3A4-48940C967D31\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:phlex:phlex:1.9.0:*:*:*:*:ruby:*:*\",\"matchCriteriaId\":\"1D4EB24C-96B0-4C2B-990F-848DF9CDEE86\"}]}]}],\"references\":[{\"url\":\"https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Technical Description\"]},{\"url\":\"https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#unsafe-inline\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Technical Description\"]},{\"url\":\"https://github.com/phlex-ruby/phlex/commit/aa50c604cdee1d0ce7ef068a4c66cbd5d43f96a1\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/phlex-ruby/phlex/security/advisories/GHSA-242p-4v39-2v8g\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Technical Description\"]},{\"url\":\"https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#unsafe-inline\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Technical Description\"]},{\"url\":\"https://github.com/phlex-ruby/phlex/commit/aa50c604cdee1d0ce7ef068a4c66cbd5d43f96a1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/phlex-ruby/phlex/security/advisories/GHSA-242p-4v39-2v8g\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"title\": \"Cross-site Scripting (XSS) possible with maliciously formed HTML attribute names and values in Phlex\", \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-79\", \"lang\": \"en\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\", \"type\": \"CWE\"}]}], \"metrics\": [{\"cvssV3_1\": {\"attackComplexity\": \"LOW\", \"attackVector\": \"NETWORK\", \"availabilityImpact\": \"NONE\", \"baseScore\": 7.1, \"baseSeverity\": \"HIGH\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"scope\": \"UNCHANGED\", \"userInteraction\": \"REQUIRED\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N\", \"version\": \"3.1\"}}], \"references\": [{\"name\": \"https://github.com/phlex-ruby/phlex/security/advisories/GHSA-242p-4v39-2v8g\", \"tags\": [\"x_refsource_CONFIRM\"], \"url\": \"https://github.com/phlex-ruby/phlex/security/advisories/GHSA-242p-4v39-2v8g\"}, {\"name\": \"https://github.com/phlex-ruby/phlex/commit/aa50c604cdee1d0ce7ef068a4c66cbd5d43f96a1\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/phlex-ruby/phlex/commit/aa50c604cdee1d0ce7ef068a4c66cbd5d43f96a1\"}, {\"name\": \"https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy\"}, {\"name\": \"https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#unsafe-inline\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#unsafe-inline\"}], \"affected\": [{\"vendor\": \"phlex-ruby\", \"product\": \"phlex\", \"versions\": [{\"version\": \"= 1.9.0\", \"status\": \"affected\"}, {\"version\": \"\u003e= 1.8.0, \u003c 1.8.2\", \"status\": \"affected\"}, {\"version\": \"= 1.7.0\", \"status\": \"affected\"}, {\"version\": \"\u003e= 1.6.0, \u003c 1.6.2\", \"status\": \"affected\"}, {\"version\": \"\u003e= 1.5.0, \u003c 1.5.2\", \"status\": \"affected\"}, {\"version\": \"= 1.4.0\", \"status\": \"affected\"}, {\"version\": \"\u003e= 1.3.0, \u003c 1.3.3\", \"status\": \"affected\"}, {\"version\": \"\u003e= 1.2.0, \u003c 1.2.2\", \"status\": \"affected\"}, {\"version\": \"= 1.1.0\", \"status\": \"affected\"}, {\"version\": \"\u003c 1.0.1\", \"status\": \"affected\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-03-11T22:50:38.789Z\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"phlex is an open source framework for building object-oriented views in Ruby. There is a potential cross-site scripting (XSS) vulnerability that can be exploited via maliciously crafted user data. This was due to improper case-sensitivity in the code that was meant to prevent these attacks. If you render an `\u003ca\u003e` tag with an `href` attribute set to a user-provided link, that link could potentially execute JavaScript when clicked by another user. If you splat user-provided attributes when rendering any HTML tag, malicious event attributes could be included in the output, executing JavaScript when the events are triggered by another user. Patches are available on RubyGems for all 1.x minor versions. Users are advised to upgrade. Users unable to upgrade should consider configuring a content security policy that does not allow `unsafe-inline`.\"}], \"source\": {\"advisory\": \"GHSA-242p-4v39-2v8g\", \"discovery\": \"UNKNOWN\"}}, \"adp\": [{\"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-28199\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-03-12T15:49:25.218232Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-05-23T19:01:16.974Z\"}, \"title\": \"CISA ADP Vulnrichment\"}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-28199\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"GitHub_M\", \"dateReserved\": \"2024-03-06T17:35:00.860Z\", \"datePublished\": \"2024-03-11T22:50:38.789Z\", \"dateUpdated\": \"2024-06-04T18:03:58.780Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GSD-2024-28199

Vulnerability from gsd - Updated: 2024-03-08 06:02

Details

Aliases

CVE-2024-28199

JSON

To clipboard

{
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2024-28199"
      ],
      "details": "phlex is an open source framework for building object-oriented views in Ruby. There is a potential cross-site scripting (XSS) vulnerability that can be exploited via maliciously crafted user data. This was due to improper case-sensitivity in the code that was meant to prevent these attacks. If you render an `\u003ca\u003e` tag with an `href` attribute set to a user-provided link, that link could potentially execute JavaScript when clicked by another user. If you splat user-provided attributes when rendering any HTML tag, malicious event attributes could be included in the output, executing JavaScript when the events are triggered by another user. Patches are available on RubyGems for all 1.x minor versions. Users are advised to upgrade. Users unable to upgrade should consider configuring a content security policy that does not allow `unsafe-inline`.",
      "id": "GSD-2024-28199",
      "modified": "2024-03-08T06:02:46.389080Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2024-28199",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "phlex",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "= 1.9.0"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "\u003e= 1.8.0, \u003c 1.8.2"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "= 1.7.0"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "\u003e= 1.6.0, \u003c 1.6.2"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "\u003e= 1.5.0, \u003c 1.5.2"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "= 1.4.0"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "\u003e= 1.3.0, \u003c 1.3.3"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "\u003e= 1.2.0, \u003c 1.2.2"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "= 1.1.0"
                        },
                        {
                          "version_affected": "=",
                          "version_value": "\u003c 1.0.1"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "phlex-ruby"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "phlex is an open source framework for building object-oriented views in Ruby. There is a potential cross-site scripting (XSS) vulnerability that can be exploited via maliciously crafted user data. This was due to improper case-sensitivity in the code that was meant to prevent these attacks. If you render an `\u003ca\u003e` tag with an `href` attribute set to a user-provided link, that link could potentially execute JavaScript when clicked by another user. If you splat user-provided attributes when rendering any HTML tag, malicious event attributes could be included in the output, executing JavaScript when the events are triggered by another user. Patches are available on RubyGems for all 1.x minor versions. Users are advised to upgrade. Users unable to upgrade should consider configuring a content security policy that does not allow `unsafe-inline`."
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-79",
                "lang": "eng",
                "value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/phlex-ruby/phlex/security/advisories/GHSA-242p-4v39-2v8g",
            "refsource": "MISC",
            "url": "https://github.com/phlex-ruby/phlex/security/advisories/GHSA-242p-4v39-2v8g"
          },
          {
            "name": "https://github.com/phlex-ruby/phlex/commit/aa50c604cdee1d0ce7ef068a4c66cbd5d43f96a1",
            "refsource": "MISC",
            "url": "https://github.com/phlex-ruby/phlex/commit/aa50c604cdee1d0ce7ef068a4c66cbd5d43f96a1"
          },
          {
            "name": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy",
            "refsource": "MISC",
            "url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy"
          },
          {
            "name": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#unsafe-inline",
            "refsource": "MISC",
            "url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#unsafe-inline"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-242p-4v39-2v8g",
        "discovery": "UNKNOWN"
      }
    },
    "nvd.nist.gov": {
      "cve": {
        "descriptions": [
          {
            "lang": "en",
            "value": "phlex is an open source framework for building object-oriented views in Ruby. There is a potential cross-site scripting (XSS) vulnerability that can be exploited via maliciously crafted user data. This was due to improper case-sensitivity in the code that was meant to prevent these attacks. If you render an `\u003ca\u003e` tag with an `href` attribute set to a user-provided link, that link could potentially execute JavaScript when clicked by another user. If you splat user-provided attributes when rendering any HTML tag, malicious event attributes could be included in the output, executing JavaScript when the events are triggered by another user. Patches are available on RubyGems for all 1.x minor versions. Users are advised to upgrade. Users unable to upgrade should consider configuring a content security policy that does not allow `unsafe-inline`."
          },
          {
            "lang": "es",
            "value": "Phlex es un framework de c\u00f3digo abierto para crear vistas orientadas a objetos en Ruby. Existe una posible vulnerabilidad de secuencias de comandos entre sitios (XSS) que puede explotarse mediante datos de usuario creados con fines malintencionados. Esto se debi\u00f3 a una distinci\u00f3n inadecuada entre may\u00fasculas y min\u00fasculas en el c\u00f3digo destinado a prevenir estos ataques. Si representa una etiqueta `\u003ca rel=\"nofollow\"\u003e` con un atributo `href` establecido en un enlace proporcionado por el usuario, ese enlace podr\u00eda potencialmente ejecutar JavaScript cuando otro usuario haga clic en \u00e9l. Si agrega atributos proporcionados por el usuario al representar cualquier etiqueta HTML, se podr\u00edan incluir atributos de eventos maliciosos en la salida, ejecutando JavaScript cuando los eventos sean activados por otro usuario. Los parches est\u00e1n disponibles en RubyGems para todas las versiones menores 1.x. Se recomienda a los usuarios que actualicen. Los usuarios que no puedan actualizar deben considerar configurar una pol\u00edtica de seguridad de contenido que no permita \"inseguro en l\u00ednea\".\u003c/a\u003e"
          }
        ],
        "id": "CVE-2024-28199",
        "lastModified": "2024-03-12T12:40:13.500",
        "metrics": {
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
                "version": "3.1"
              },
              "exploitabilityScore": 2.8,
              "impactScore": 4.2,
              "source": "security-advisories@github.com",
              "type": "Secondary"
            }
          ]
        },
        "published": "2024-03-11T23:15:47.333",
        "references": [
          {
            "source": "security-advisories@github.com",
            "url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy"
          },
          {
            "source": "security-advisories@github.com",
            "url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#unsafe-inline"
          },
          {
            "source": "security-advisories@github.com",
            "url": "https://github.com/phlex-ruby/phlex/commit/aa50c604cdee1d0ce7ef068a4c66cbd5d43f96a1"
          },
          {
            "source": "security-advisories@github.com",
            "url": "https://github.com/phlex-ruby/phlex/security/advisories/GHSA-242p-4v39-2v8g"
          }
        ],
        "sourceIdentifier": "security-advisories@github.com",
        "vulnStatus": "Awaiting Analysis",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-79"
              }
            ],
            "source": "security-advisories@github.com",
            "type": "Secondary"
          }
        ]
      }
    }
  }
}

GHSA-242P-4V39-2V8G

Vulnerability from github – Published: 2024-03-12 15:39 – Updated: 2024-03-14 21:40

Summary

Cross-site Scripting (XSS) possible with maliciously formed HTML attribute names and values in Phlex

Details

There is a potential cross-site scripting (XSS) vulnerability that can be exploited via maliciously crafted user data. This was due to improper case-sensitivity in the code that was meant to prevent these attacks.

Impact

If you render an <a> tag with an href attribute set to a user-provided link, that link could potentially execute JavaScript when clicked by another user.

a(href: user_profile) { "Profile" }

If you splat user-provided attributes when rendering any HTML or SVG tag, malicious event attributes could be included in the output, executing JavaScript when the events are triggered by another user.

h1(**JSON.parse(user_attributes))

Patches

Patches are available on RubyGems for all 1.x minor versions. The patched versions are:

If you are on main, it has been patched since aa50c60

Workarounds

Configuring a Content Security Policy that does not allow unsafe-inline would effectively prevent this vulnerability from being exploited.

References

In addition to upgrading to a patched version of Phlex, we strongly recommend configuring a Content Security Policy header that does not allow unsafe-inline. Here’s how you can configure a Content Security Policy header in Rails. https://guides.rubyonrails.org/security.html#content-security-policy-header

Severity ?

7.1 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "phlex"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.9.0"
            },
            {
              "fixed": "1.9.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "1.9.0"
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "phlex"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.8.0"
            },
            {
              "fixed": "1.8.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "phlex"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.7.0"
            },
            {
              "fixed": "1.7.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "1.7.0"
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "phlex"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.6.0"
            },
            {
              "fixed": "1.6.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "phlex"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.5.0"
            },
            {
              "fixed": "1.5.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "phlex"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.4.0"
            },
            {
              "fixed": "1.4.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "1.4.0"
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "phlex"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.3.0"
            },
            {
              "fixed": "1.3.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "phlex"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.2.0"
            },
            {
              "fixed": "1.2.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "phlex"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.1.0"
            },
            {
              "fixed": "1.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "1.1.0"
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "phlex"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-28199"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-12T15:39:46Z",
    "nvd_published_at": "2024-03-11T23:15:47Z",
    "severity": "HIGH"
  },
  "details": "There is a potential cross-site scripting (XSS) vulnerability that can be exploited via maliciously crafted user data. This was due to improper case-sensitivity in the code that was meant to prevent these attacks.\n\n### Impact\n\nIf you render an `\u003ca\u003e` tag with an `href` attribute set to a user-provided link, that link could potentially execute JavaScript when clicked by another user.\n\n```ruby\na(href: user_profile) { \"Profile\" }\n```\n\nIf you splat user-provided attributes when rendering any HTML or SVG tag, malicious event attributes could be included in the output, executing JavaScript when the events are triggered by another user.\n\n```ruby\nh1(**JSON.parse(user_attributes))\n```\n\n### Patches\nPatches are [available on RubyGems](https://rubygems.org/gems/phlex) for all `1.x` minor versions. The patched versions are:\n\n- [1.9.1](https://rubygems.org/gems/phlex/versions/1.9.1)\n- [1.8.2](https://rubygems.org/gems/phlex/versions/1.8.2)\n- [1.7.1](https://rubygems.org/gems/phlex/versions/1.7.1)\n- [1.6.2](https://rubygems.org/gems/phlex/versions/1.6.2)\n- [1.5.2](https://rubygems.org/gems/phlex/versions/1.5.2)\n- [1.4.1](https://rubygems.org/gems/phlex/versions/1.4.1)\n- [1.3.3](https://rubygems.org/gems/phlex/versions/1.3.3)\n- [1.2.2](https://rubygems.org/gems/phlex/versions/1.2.2)\n- [1.1.1](https://rubygems.org/gems/phlex/versions/1.1.1)\n- [1.0.1](https://rubygems.org/gems/phlex/versions/1.0.1)\n\nIf you are on `main`, it has been patched since [`aa50c60`](https://github.com/phlex-ruby/phlex/commit/aa50c604cdee1d0ce7ef068a4c66cbd5d43f96a1)\n\n### Workarounds\nConfiguring a [Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy) that does not allow [`unsafe-inline`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#unsafe-inline) would effectively prevent this vulnerability from being exploited.\n\n### References\n\nIn addition to upgrading to a patched version of Phlex, we strongly recommend configuring a Content Security Policy header that does not allow `unsafe-inline`. Here\u2019s how you can configure a Content Security Policy header in Rails. https://guides.rubyonrails.org/security.html#content-security-policy-header",
  "id": "GHSA-242p-4v39-2v8g",
  "modified": "2024-03-14T21:40:41Z",
  "published": "2024-03-12T15:39:46Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/phlex-ruby/phlex/security/advisories/GHSA-242p-4v39-2v8g"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28199"
    },
    {
      "type": "WEB",
      "url": "https://github.com/phlex-ruby/phlex/commit/aa50c604cdee1d0ce7ef068a4c66cbd5d43f96a1"
    },
    {
      "type": "WEB",
      "url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy"
    },
    {
      "type": "WEB",
      "url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#unsafe-inline"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/phlex-ruby/phlex"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/phlex/CVE-2024-28199.yml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Cross-site Scripting (XSS) possible with maliciously formed HTML attribute names and values in Phlex"
}

FKIE_CVE-2024-28199

Vulnerability from fkie_nvd - Published: 2024-03-11 23:15 - Updated: 2025-04-23 17:29

Severity ?

7.1 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy	Technical Description
security-advisories@github.com	https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#unsafe-inline	Technical Description
security-advisories@github.com	https://github.com/phlex-ruby/phlex/commit/aa50c604cdee1d0ce7ef068a4c66cbd5d43f96a1	Patch
security-advisories@github.com	https://github.com/phlex-ruby/phlex/security/advisories/GHSA-242p-4v39-2v8g	Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy	Technical Description
af854a3a-2127-422b-91ae-364da2661108	https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#unsafe-inline	Technical Description
af854a3a-2127-422b-91ae-364da2661108	https://github.com/phlex-ruby/phlex/commit/aa50c604cdee1d0ce7ef068a4c66cbd5d43f96a1	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/phlex-ruby/phlex/security/advisories/GHSA-242p-4v39-2v8g	Patch, Vendor Advisory

Impacted products

Vendor	Product	Version
phlex	phlex	*
phlex	phlex	*
phlex	phlex	*
phlex	phlex	1.1.0
phlex	phlex	1.4.0
phlex	phlex	1.7.0
phlex	phlex	1.9.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:phlex:phlex:*:*:*:*:*:ruby:*:*",
              "matchCriteriaId": "B2BF28C1-9D36-460D-9030-2ECDB054ADB1",
              "versionEndExcluding": "1.0.1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:phlex:phlex:*:*:*:*:*:ruby:*:*",
              "matchCriteriaId": "8A30CE8F-C58A-4851-8DB2-0724D67A0E58",
              "versionEndExcluding": "1.2.2",
              "versionStartIncluding": "1.2.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:phlex:phlex:*:*:*:*:*:ruby:*:*",
              "matchCriteriaId": "91BCB672-57E6-47E2-9174-011BB8B9D08E",
              "versionEndExcluding": "1.3.3",
              "versionStartIncluding": "1.3.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:phlex:phlex:1.1.0:*:*:*:*:ruby:*:*",
              "matchCriteriaId": "A1724DBB-7DC6-43F3-BA3D-C05FCECD1D3C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:phlex:phlex:1.4.0:*:*:*:*:ruby:*:*",
              "matchCriteriaId": "8E46CC01-3CD3-491D-8046-B5C5B740B7C9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:phlex:phlex:1.7.0:*:*:*:*:ruby:*:*",
              "matchCriteriaId": "10E33F7C-8D3F-4182-A3A4-48940C967D31",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:phlex:phlex:1.9.0:*:*:*:*:ruby:*:*",
              "matchCriteriaId": "1D4EB24C-96B0-4C2B-990F-848DF9CDEE86",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "phlex is an open source framework for building object-oriented views in Ruby. There is a potential cross-site scripting (XSS) vulnerability that can be exploited via maliciously crafted user data. This was due to improper case-sensitivity in the code that was meant to prevent these attacks. If you render an `\u003ca\u003e` tag with an `href` attribute set to a user-provided link, that link could potentially execute JavaScript when clicked by another user. If you splat user-provided attributes when rendering any HTML tag, malicious event attributes could be included in the output, executing JavaScript when the events are triggered by another user. Patches are available on RubyGems for all 1.x minor versions. Users are advised to upgrade. Users unable to upgrade should consider configuring a content security policy that does not allow `unsafe-inline`."
    },
    {
      "lang": "es",
      "value": "Phlex es un framework de c\u00f3digo abierto para crear vistas orientadas a objetos en Ruby. Existe una posible vulnerabilidad de secuencias de comandos entre sitios (XSS) que puede explotarse mediante datos de usuario creados con fines malintencionados. Esto se debi\u00f3 a una distinci\u00f3n inadecuada entre may\u00fasculas y min\u00fasculas en el c\u00f3digo destinado a prevenir estos ataques. Si representa una etiqueta `\u003ca rel=\"nofollow\"\u003e` con un atributo `href` establecido en un enlace proporcionado por el usuario, ese enlace podr\u00eda potencialmente ejecutar JavaScript cuando otro usuario haga clic en \u00e9l. Si agrega atributos proporcionados por el usuario al representar cualquier etiqueta HTML, se podr\u00edan incluir atributos de eventos maliciosos en la salida, ejecutando JavaScript cuando los eventos sean activados por otro usuario. Los parches est\u00e1n disponibles en RubyGems para todas las versiones menores 1.x. Se recomienda a los usuarios que actualicen. Los usuarios que no puedan actualizar deben considerar configurar una pol\u00edtica de seguridad de contenido que no permita \"inseguro en l\u00ednea\".\u003c/a\u003e"
    }
  ],
  "id": "CVE-2024-28199",
  "lastModified": "2025-04-23T17:29:58.553",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 4.2,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-03-11T23:15:47.333",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Technical Description"
      ],
      "url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Technical Description"
      ],
      "url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#unsafe-inline"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/phlex-ruby/phlex/commit/aa50c604cdee1d0ce7ef068a4c66cbd5d43f96a1"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://github.com/phlex-ruby/phlex/security/advisories/GHSA-242p-4v39-2v8g"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Technical Description"
      ],
      "url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Technical Description"
      ],
      "url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#unsafe-inline"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/phlex-ruby/phlex/commit/aa50c604cdee1d0ce7ef068a4c66cbd5d43f96a1"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://github.com/phlex-ruby/phlex/security/advisories/GHSA-242p-4v39-2v8g"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2024-28199 (GCVE-0-2024-28199)

GSD-2024-28199

GHSA-242P-4V39-2V8G

Impact

Patches

Workarounds

References

FKIE_CVE-2024-28199

Tags

Sightings

Nomenclature