7.1

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-30614

CVE-2023-30614: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in Pay

Impact

A payments info page of Pay is susceptible to reflected Cross-site scripting. An attacker could create a working URL that renders a javascript link to a user on a Rails application that integrates Pay. This URL could be distributed via email to specifically target certain individuals. If the targeted application contains a functionality to submit user-generated content (such as comments) the attacker could even distribute the URL using that functionality.

Patches

This has been patched in version 6.3.2 and above.

Pay will now sanitize the back parameter and only permit relative paths.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2023-30614

CVE-2023-30614:

7.1

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
pay	rubygems	< 6.3.2	6.3.2

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from two key points: 1) The controller's show action accepted and propagated the 'back' parameter without proper path validation (allowing arbitrary URIs), and 2) The view template rendered this parameter in a link_to helper without HTML sanitization. The commit patches explicitly address both: by using URI.parse to restrict to relative paths in the controller and adding sanitize in the view. The pre-patch code for these components directly used user input in unsafe contexts.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

7.1

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2023-30614: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in Pay

Impact

Patches

CVE-2023-30614:

7.1

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Detect and Respond To Threats Faster.

7.1

7.1

CVE-2023-30614: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in Pay

Impact

Patches

Basic Information

Basic Information

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

7.1

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2023-30614: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in Pay

Impact

Patches

CVE-2023-30614:

7.1

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

7.1

7.1

CVE-2023-30614: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in Pay

Impact

Patches

Basic Information

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI