|
| 1 | +--- |
| 2 | +layout: advisory |
| 3 | +title: 'GHSA-g7xq-xv8c-h98c (phlex): Cross-site Scripting (XSS) possible due to improper |
| 4 | + sanitisation of `href` attributes on `<a>` tags' |
| 5 | +comments: false |
| 6 | +categories: |
| 7 | +- phlex |
| 8 | +advisory: |
| 9 | + gem: phlex |
| 10 | + ghsa: g7xq-xv8c-h98c |
| 11 | + url: https://github.com/phlex-ruby/phlex/security/advisories/GHSA-g7xq-xv8c-h98c |
| 12 | + title: Cross-site Scripting (XSS) possible due to improper sanitisation of `href` |
| 13 | + attributes on `<a>` tags |
| 14 | + date: 2024-04-16 |
| 15 | + description: | |
| 16 | + ### Summary |
| 17 | + There is a potential cross-site scripting (XSS) vulnerability that can be exploited via maliciously crafted user data. |
| 18 | +
|
| 19 | + Our filter to detect and prevent the use of the `javascript:` URL scheme in the `href` attribute of an `<a>` tag could be bypassed with tab `\t` or newline `\n` characters between the characters of the protocol, e.g. `java\tscript:`. |
| 20 | +
|
| 21 | + ### Impact |
| 22 | +
|
| 23 | + If you render an `<a>` tag with an `href` attribute set to a user-provided link, that link could potentially execute JavaScript when clicked by another user. |
| 24 | +
|
| 25 | + ```ruby |
| 26 | + a(href: user_profile) { "Profile" } |
| 27 | + ``` |
| 28 | +
|
| 29 | + ### Mitigation |
| 30 | +
|
| 31 | + The best way to mitigate this vulnerability is to update to one of the following versions: |
| 32 | +
|
| 33 | + - [1.10.1](https://rubygems.org/gems/phlex/versions/1.10.1) |
| 34 | + - [1.9.2](https://rubygems.org/gems/phlex/versions/1.9.2) |
| 35 | + - [1.8.3](https://rubygems.org/gems/phlex/versions/1.8.3) |
| 36 | + - [1.7.2](https://rubygems.org/gems/phlex/versions/1.7.2) |
| 37 | + - [1.6.3](https://rubygems.org/gems/phlex/versions/1.6.3) |
| 38 | + - [1.5.3](https://rubygems.org/gems/phlex/versions/1.5.3) |
| 39 | + - [1.4.2](https://rubygems.org/gems/phlex/versions/1.4.2) |
| 40 | +
|
| 41 | + ### Workarounds |
| 42 | + Configuring a [Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy) that does not allow [`unsafe-inline`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#unsafe-inline) would effectively prevent this vulnerability from being exploited. |
| 43 | + cvss_v3: 7.1 |
| 44 | + patched_versions: |
| 45 | + - "~> 1.4.2" |
| 46 | + - "~> 1.5.3" |
| 47 | + - "~> 1.6.3" |
| 48 | + - "~> 1.7.2" |
| 49 | + - "~> 1.8.3" |
| 50 | + - "~> 1.9.2" |
| 51 | + - ">= 1.10.1" |
| 52 | + related: |
| 53 | + url: |
| 54 | + - https://nvd.nist.gov/vuln/detail/CVE-2024-28199 |
| 55 | + - https://github.com/phlex-ruby/phlex/commit/9e3f5b980655817993682e409cbda72956d865cb |
| 56 | + - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy |
| 57 | + - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#unsafe-inline |
| 58 | +--- |
0 commit comments