CVE-2024-32463

EPSS 0.18%
Veröffentlicht 17.04.2024 16:15:09
Zuletzt bearbeitet 21.11.2024 09:14:57
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

phlex is an open source framework for building object-oriented views in Ruby. There is a potential cross-site scripting (XSS) vulnerability that can be exploited via maliciously crafted user data. The filter to detect and prevent the use of the `javascript:` URL scheme in the `href` attribute of an `<a>` tag could be bypassed with tab `\t` or newline `\n` characters between the characters of the protocol, e.g. `java\tscript:`. This vulnerability is fixed in 1.10.1, 1.9.2, 1.8.3, 1.7.2, 1.6.3, 1.5.3, and 1.4.2. Configuring a Content Security Policy that does not allow `unsafe-inline` would effectively prevent this vulnerability from being exploited.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 7

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von Authorized Data Publishers (ADP) (Unstrukturiert)

Herstellerruby

≫

Produkt fileutils

Default Statusunknown

Version 1.0.0

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.18%	0.398

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	7.1	2.8	4.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#unsafe-inline

https://github.com/phlex-ruby/phlex/commit/9e3f5b980655817993682e409cbda72956d865cb

https://github.com/phlex-ruby/phlex/security/advisories/GHSA-g7xq-xv8c-h98c

https://nvd.nist.gov/vuln/detail/CVE-2024-32463

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-32463

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-32463

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-32463