{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2024-32463","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","state":"PUBLISHED","assignerShortName":"GitHub_M","dateReserved":"2024-04-12T19:41:51.164Z","datePublished":"2024-04-17T15:29:14.463Z","dateUpdated":"2024-08-02T02:13:39.303Z"},"containers":{"cna":{"title":"phlex makes Cross-site Scripting (XSS) possible due to improper sanitisation of `href` attributes on `<a>` tags","problemTypes":[{"descriptions":[{"cweId":"CWE-79","lang":"en","description":"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","type":"CWE"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"LOW","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N","version":"3.1"}}],"references":[{"name":"https://github.com/phlex-ruby/phlex/security/advisories/GHSA-g7xq-xv8c-h98c","tags":["x_refsource_CONFIRM"],"url":"https://github.com/phlex-ruby/phlex/security/advisories/GHSA-g7xq-xv8c-h98c"},{"name":"https://github.com/phlex-ruby/phlex/commit/9e3f5b980655817993682e409cbda72956d865cb","tags":["x_refsource_MISC"],"url":"https://github.com/phlex-ruby/phlex/commit/9e3f5b980655817993682e409cbda72956d865cb"},{"name":"https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy","tags":["x_refsource_MISC"],"url":"https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy"},{"name":"https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#unsafe-inline","tags":["x_refsource_MISC"],"url":"https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#unsafe-inline"}],"affected":[{"vendor":"phlex-ruby","product":"phlex","versions":[{"version":">= 1.10.0, < 1.10.1","status":"affected"},{"version":">= 1.9.0, < 1.9.2","status":"affected"},{"version":">= 1.8.0, < 1.8.3","status":"affected"},{"version":">= 1.7.0, < 1.7.2","status":"affected"},{"version":">= 1.6.0, < 1.6.3","status":"affected"},{"version":">= 1.5.0, < 1.5.3","status":"affected"},{"version":">= 1.4.0, < 1.4.2","status":"affected"}]}],"providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2024-04-17T15:29:14.463Z"},"descriptions":[{"lang":"en","value":"phlex is an open source framework for building object-oriented views in Ruby. There is a potential cross-site scripting (XSS) vulnerability that can be exploited via maliciously crafted user data. The filter to detect and prevent the use of the `javascript:` URL scheme in the `href` attribute of an `<a>` tag could be bypassed with tab `\\t` or newline `\\n` characters between the characters of the protocol, e.g. `java\\tscript:`. This vulnerability is fixed in 1.10.1, 1.9.2, 1.8.3, 1.7.2, 1.6.3, 1.5.3, and 1.4.2. Configuring a Content Security Policy that does not allow `unsafe-inline` would effectively prevent this vulnerability from being exploited."}],"source":{"advisory":"GHSA-g7xq-xv8c-h98c","discovery":"UNKNOWN"}},"adp":[{"title":"CISA ADP Vulnrichment","metrics":[{"other":{"type":"ssvc","content":{"id":"CVE-2024-32463","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"version":"2.0.3","timestamp":"2024-04-23T18:58:58.573841Z"}}}],"affected":[{"cpes":["cpe:2.3:a:ruby:fileutils:1.0.0:*:*:*:*:*:*:*"],"vendor":"ruby","product":"fileutils","versions":[{"status":"affected","version":"1.0.0"}],"defaultStatus":"unknown"}],"providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-06-04T17:51:21.119Z"}},{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-02T02:13:39.303Z"},"title":"CVE Program Container","references":[{"name":"https://github.com/phlex-ruby/phlex/security/advisories/GHSA-g7xq-xv8c-h98c","tags":["x_refsource_CONFIRM","x_transferred"],"url":"https://github.com/phlex-ruby/phlex/security/advisories/GHSA-g7xq-xv8c-h98c"},{"name":"https://github.com/phlex-ruby/phlex/commit/9e3f5b980655817993682e409cbda72956d865cb","tags":["x_refsource_MISC","x_transferred"],"url":"https://github.com/phlex-ruby/phlex/commit/9e3f5b980655817993682e409cbda72956d865cb"},{"name":"https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy","tags":["x_refsource_MISC","x_transferred"],"url":"https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy"},{"name":"https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#unsafe-inline","tags":["x_refsource_MISC","x_transferred"],"url":"https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#unsafe-inline"}]}]}}