Home

CVE-2024-32463

Description

phlex is an open source framework for building object-oriented views in Ruby. There is a potential cross-site scripting (XSS) vulnerability that can be exploited via maliciously crafted user data. The filter to detect and prevent the use of the javascript: URL scheme in the href attribute of an tag could be bypassed with tab t or newline n characters between the characters of the protocol, e.g. javatscript:. This vulnerability is fixed in 1.10.1, 1.9.2, 1.8.3, 1.7.2, 1.6.3, 1.5.3, and 1.4.2. Configuring a Content Security Policy that does not allow unsafe-inline would effectively prevent this vulnerability from being exploited.

Risk Information

Base Score
7.1
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
EPSS Score
Exploitation Probability
0.179

Associated Vulnerability

VulnerabilityOS Platform
Vulnerabilities CVE-2024-32463 are fixed in Ruby-phlex 1.10.1Windows
Vulnerabilities CVE-2024-32463 are fixed in Ruby-phlex 1.9.2Windows
Vulnerabilities CVE-2024-32463 are fixed in Ruby-phlex 1.8.3Windows
Vulnerabilities CVE-2024-32463 are fixed in Ruby-phlex 1.7.2Windows
Vulnerabilities CVE-2024-32463 are fixed in Ruby-phlex 1.6.3Windows
Vulnerabilities CVE-2024-32463 are fixed in Ruby-phlex 1.5.3Windows
Vulnerabilities CVE-2024-32463 are fixed in Ruby-phlex 1.4.2Windows
Vulnerabilities CVE-2024-32463 are fixed in Ruby-phlex for Linux 1.10.1Linux
Vulnerabilities CVE-2024-32463 are fixed in Ruby-phlex for Linux 1.9.2Linux
Vulnerabilities CVE-2024-32463 are fixed in Ruby-phlex for Linux 1.8.3Linux
Vulnerabilities CVE-2024-32463 are fixed in Ruby-phlex for Linux 1.7.2Linux
Vulnerabilities CVE-2024-32463 are fixed in Ruby-phlex for Linux 1.6.3Linux
Vulnerabilities CVE-2024-32463 are fixed in Ruby-phlex for Linux 1.5.3Linux
Vulnerabilities CVE-2024-32463 are fixed in Ruby-phlex for Linux 1.4.2Linux

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234