Skip to content

Commit 577457f

Browse files
jasnowjasnow
authored
GHSA SYNC: Added brand new advisory (#793)
1 parent ac6a3c1 commit 577457f

File tree

1 file changed

+47
-0
lines changed

1 file changed

+47
-0
lines changed

gems/rails_admin/CVE-2024-39308.yml

Lines changed: 47 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,47 @@
1+
---
2+
gem: rails_admin
3+
cve: 2024-39308
4+
ghsa: 8qgm-g2vv-vwvc
5+
url: https://github.com/railsadminteam/rails_admin/security/advisories/GHSA-8qgm-g2vv-vwvc
6+
title: RailsAdmin Cross-site Scripting vulnerability in the list view
7+
date: 2024-07-08
8+
description: |
9+
### Impact
10+
RailsAdmin list view has the XSS vulnerability, caused by
11+
improperly-escaped HTML title attribute. The issue was originally
12+
reported in https://github.com/railsadminteam/rails_admin/issues/3686.
13+
14+
### Patches
15+
Upgrade to [3.1.3](https://rubygems.org/gems/rails_admin/versions/3.1.3)
16+
or [2.3.0](https://rubygems.org/gems/rails_admin/versions/2.3.0).
17+
18+
### Workarounds
19+
1. Copy the index view (located under the path
20+
`app/views/rails_admin/main/index.html.erb`) from the RailsAdmin
21+
version you use, and place it into your application by using
22+
the same path.
23+
24+
2. Open the view file by an editor, and remove `strip_tags` from
25+
the title attribute (as shown in GHSA advisory below).
26+
27+
**Note:** The view file created by this needs to be removed after
28+
upgrading RailsAdmin afterwards, unless this old view continue to
29+
be used. Only do this if you can't upgrade RailsAdmin now for a reason.
30+
31+
### References
32+
https://owasp.org/www-community/attacks/xss/
33+
https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-strip_tags
34+
cvss_v3: 6.8
35+
patched_versions:
36+
- "~> 2.3.0"
37+
- ">= 3.1.3"
38+
related:
39+
url:
40+
- https://nvd.nist.gov/vuln/detail/CVE-2024-39308
41+
- https://github.com/railsadminteam/rails_admin/security/advisories/GHSA-8qgm-g2vv-vwvc
42+
- https://github.com/railsadminteam/rails_admin/issues/3686
43+
- https://github.com/railsadminteam/rails_admin/commit/b5a287d82e2cbd1737a1a01e11ede2911cce7fef
44+
- https://github.com/railsadminteam/rails_admin/commit/d84b39884059c4ed50197cec8522cca029a17673
45+
- https://rubygems.org/gems/rails_admin/versions/2.3.0
46+
- https://rubygems.org/gems/rails_admin/versions/3.1.3
47+
- https://github.com/advisories/GHSA-8qgm-g2vv-vwvc

0 commit comments

Comments
 (0)