// For flags

CVE-2024-32463

phlex makes Cross-site Scripting (XSS) possible due to improper sanitisation of `href` attributes on `<a>` tags

Severity Score

7.1
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track
*SSVC
Descriptions

phlex is an open source framework for building object-oriented views in Ruby. There is a potential cross-site scripting (XSS) vulnerability that can be exploited via maliciously crafted user data. The filter to detect and prevent the use of the `javascript:` URL scheme in the `href` attribute of an `<a>` tag could be bypassed with tab `\t` or newline `
` characters between the characters of the protocol, e.g. `java\tscript:`. This vulnerability is fixed in 1.10.1, 1.9.2, 1.8.3, 1.7.2, 1.6.3, 1.5.3, and 1.4.2. Configuring a Content Security Policy that does not allow `unsafe-inline` would effectively prevent this vulnerability from being exploited.

Phlex es un framework de código abierto para crear vistas orientadas a objetos en Ruby. Existe una posible vulnerabilidad de cross-site scripting (XSS) que puede explotarse mediante datos de usuario creados con fines malintencionados. El filtro para detectar y evitar el uso del esquema de URL `javascript:` en el atributo `href` de una etiqueta `<a rel="nofollow">` podría omitirse con tabulaciones `\t` o caracteres de nueva línea `
` entre los caracteres de el protocolo, por ejemplo `java\tscript:`. Esta vulnerabilidad se solucionó en 1.10.1, 1.9.2, 1.8.3, 1.7.2, 1.6.3, 1.5.3 y 1.4.2. Configurar una política de seguridad de contenido que no permita "inseguro en línea" evitaría efectivamente que se aproveche esta vulnerabilidad.</a>

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:Track
Exploitation
None
Automatable
No
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2024-04-12 CVE Reserved
  • 2024-04-17 CVE Published
  • 2024-04-18 EPSS Updated
  • 2024-08-02 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Phlex-ruby
Search vendor "Phlex-ruby"
 Phlex
Search vendor "Phlex-ruby" for product "Phlex"
 >= 1.10.0 < 1.10.1
Search vendor "Phlex-ruby" for product "Phlex" and version " >= 1.10.0 < 1.10.1"
en
Affected
Phlex-ruby
Search vendor "Phlex-ruby"
 Phlex
Search vendor "Phlex-ruby" for product "Phlex"
 >= 1.9.0 < 1.9.2
Search vendor "Phlex-ruby" for product "Phlex" and version " >= 1.9.0 < 1.9.2"
en
Affected
Phlex-ruby
Search vendor "Phlex-ruby"
 Phlex
Search vendor "Phlex-ruby" for product "Phlex"
 >= 1.8.0 < 1.8.3
Search vendor "Phlex-ruby" for product "Phlex" and version " >= 1.8.0 < 1.8.3"
en
Affected
Phlex-ruby
Search vendor "Phlex-ruby"
 Phlex
Search vendor "Phlex-ruby" for product "Phlex"
 >= 1.7.0 < 1.7.2
Search vendor "Phlex-ruby" for product "Phlex" and version " >= 1.7.0 < 1.7.2"
en
Affected
Phlex-ruby
Search vendor "Phlex-ruby"
 Phlex
Search vendor "Phlex-ruby" for product "Phlex"
 >= 1.6.0 < 1.6.3
Search vendor "Phlex-ruby" for product "Phlex" and version " >= 1.6.0 < 1.6.3"
en
Affected
Phlex-ruby
Search vendor "Phlex-ruby"
 Phlex
Search vendor "Phlex-ruby" for product "Phlex"
 >= 1.5.0 < 1.5.3
Search vendor "Phlex-ruby" for product "Phlex" and version " >= 1.5.0 < 1.5.3"
en
Affected
Phlex-ruby
Search vendor "Phlex-ruby"
 Phlex
Search vendor "Phlex-ruby" for product "Phlex"
 >= 1.4.0 < 1.4.2
Search vendor "Phlex-ruby" for product "Phlex" and version " >= 1.4.0 < 1.4.2"
en
Affected