|
| 1 | +--- |
| 2 | +layout: advisory |
| 3 | +title: 'CVE-2024-32970 (phlex): Phlex vulnerable to Cross-site Scripting (XSS) via |
| 4 | + maliciously formed HTML attribute names and values' |
| 5 | +comments: false |
| 6 | +categories: |
| 7 | +- phlex |
| 8 | +advisory: |
| 9 | + gem: phlex |
| 10 | + cve: 2024-32970 |
| 11 | + ghsa: 9p57-h987-4vgx |
| 12 | + url: https://github.com/phlex-ruby/phlex/security/advisories/GHSA-9p57-h987-4vgx |
| 13 | + title: Phlex vulnerable to Cross-site Scripting (XSS) via maliciously formed HTML |
| 14 | + attribute names and values |
| 15 | + date: 2024-05-01 |
| 16 | + description: | |
| 17 | + There is a potential cross-site scripting (XSS) vulnerability that |
| 18 | + can be exploited via maliciously crafted user data. |
| 19 | +
|
| 20 | + The reason these issues were not detected before is the escapes were |
| 21 | + working as designed. However, their design didn't take into account |
| 22 | + just how recklessly permissive browser are when it comes to executing |
| 23 | + unsafe JavaScript via HTML attributes. |
| 24 | +
|
| 25 | + ### Impact |
| 26 | +
|
| 27 | + If you render an `<a>` tag with an `href` attribute set to an |
| 28 | + user-provided link, that link could potentially execute JavaScript |
| 29 | + when clicked by another user. |
| 30 | +
|
| 31 | + ```ruby |
| 32 | + a(href: user_profile) { "Profile" } |
| 33 | + ``` |
| 34 | +
|
| 35 | + If you splat user-provided attributes when rendering any HTML or SVG |
| 36 | + tag, malicious event attributes could be included in the output, |
| 37 | + executing JavaScript when the events are triggered by another user. |
| 38 | +
|
| 39 | + ```ruby |
| 40 | + h1(**JSON.parse(user_attributes)) |
| 41 | + ``` |
| 42 | +
|
| 43 | + ### Patches |
| 44 | +
|
| 45 | + Patches are [available on RubyGems](https://rubygems.org/gems/phlex) |
| 46 | + for all minor versions released in the last year. |
| 47 | +
|
| 48 | + - [1.10.2](https://rubygems.org/gems/phlex/versions/1.10.2) |
| 49 | + - [1.9.3](https://rubygems.org/gems/phlex/versions/1.9.3) |
| 50 | +
|
| 51 | + If you are on `main`, it has been patched since |
| 52 | + [`da8f943`](https://github.com/phlex-ruby/phlex/commit/da8f94342a84cff9d78c98bcc3b3604ee2e577d2) |
| 53 | +
|
| 54 | + ### Workarounds |
| 55 | +
|
| 56 | + Configuring a [Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy) |
| 57 | + that does not allow [`unsafe-inline`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#unsafe-inline) |
| 58 | + would effectively prevent this vulnerability from being exploited. |
| 59 | +
|
| 60 | + ### References |
| 61 | +
|
| 62 | + In addition to upgrading to a patched version of Phlex, we strongly |
| 63 | + recommend configuring a Content Security Policy header that does |
| 64 | + not allow `unsafe-inline`. Here’s how you can configure a Content |
| 65 | + Security Policy header in Rails. |
| 66 | + https://guides.rubyonrails.org/security.html#content-security-policy-header |
| 67 | + cvss_v3: 7.1 |
| 68 | + patched_versions: |
| 69 | + - "~> 1.9.3" |
| 70 | + - ">= 1.10.2" |
| 71 | + related: |
| 72 | + url: |
| 73 | + - https://nvd.nist.gov/vuln/detail/CVE-2024-32970 |
| 74 | + - https://github.com/phlex-ruby/phlex/security/advisories/GHSA-9p57-h987-4vgx |
| 75 | + - https://github.com/phlex-ruby/phlex/commit/da8f94342a84cff9d78c98bcc3b3604ee2e577d2 |
| 76 | + - https://rubygems.org/gems/phlex |
| 77 | + - https://rubygems.org/gems/phlex/versions/1.10.2 |
| 78 | + - https://rubygems.org/gems/phlex/versions/1.9.3 |
| 79 | + - https://github.com/payloadbox/xss-payload-list |
| 80 | + - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy |
| 81 | + - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#unsafe-inline |
| 82 | + - https://github.com/advisories/GHSA-9p57-h987-4vgx |
| 83 | +--- |
0 commit comments