7.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-32463

GHSA ID

GHSA-g7xq-xv8c-h98c

EPSS Score

0.34385%

CWE

CWE-79

Published

4/17/2024

Updated

4/19/2024

KEV Status

Technology

Ruby

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-32463

CVE-2024-32463: Cross-site Scripting (XSS) possible due to improper sanitisation of `href` attributes on `<a>` tags

Summary

There is a potential cross-site scripting (XSS) vulnerability that can be exploited via maliciously crafted user data.

Our filter to detect and prevent the use of the javascript: URL scheme in the href attribute of an <a> tag could be bypassed with tab \t or newline \n characters between the characters of the protocol, e.g. java\tscript:.

Impact

If you render an <a> tag with an href attribute set to a user-provided link, that link could potentially execute JavaScript when clicked by another user.

a(href: user_profile) { "Profile" }

Mitigation

The best way to mitigate this vulnerability is to update to one of the following versions:

Workarounds

Configuring a Content Security Policy that does not allow unsafe-inline would effectively prevent this vulnerability from being exploited.

(GitHub Advisory)

7.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-32463

GHSA ID

GHSA-g7xq-xv8c-h98c

EPSS Score

0.34385%

CWE

CWE-79

Published

4/17/2024

Updated

4/19/2024

KEV Status

Technology

Ruby

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
phlex	rubygems	= 1.10.0	1.10.1
phlex	rubygems	>= 1.9.0, < 1.9.2	1.9.2
phlex	rubygems	>= 1.8.0, < 1.8.3	1.8.3
phlex	rubygems	>= 1.7.0, < 1.7.2	1.7.2
phlex	rubygems	>= 1.6.0, < 1.6.3	1.6.3
phlex	rubygems	>= 1.5.0, < 1.5.3	1.5.3
phlex	rubygems	< 1.4.2	1.4.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the attribute sanitization logic in attributes method shown in the commit diff. The patched line (-382) specifically modifies the 'href' attribute validation to first normalize the input by removing tabs/newlines before checking for 'javascript:'. The test cases added in naughty_business.rb demonstrate multiple bypass scenarios that this function previously failed to catch. This function is directly responsible for XSS protection in attribute values, making it the clear vulnerable entry point.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry T**r* is * pot*nti*l *ross-sit* s*riptin* (XSS) vuln*r**ility t**t **n ** *xploit** vi* m*li*iously *r**t** us*r **t*. Our *ilt*r to **t**t *n* pr*v*nt t** us* o* t** `j*v*s*ript:` URL s***m* in t** `*r**` *ttri*ut* o* *n `<*>` t** *oul*

Reasoning

T** vuln*r**ility st*ms *rom t** *ttri*ut* s*nitiz*tion lo*i* in __*ttri*ut*s__ m*t*o* s*own in t** *ommit *i**. T** p*t**** lin* (-***) sp**i*i**lly mo*i*i*s t** '*r**' *ttri*ut* v*li**tion to *irst norm*liz* t** input *y r*movin* t**s/n*wlin*s ***o

7.1

Basic Information

Concerned about an active attack path?

CVE-2024-32463: Cross-site Scripting (XSS) possible due to improper sanitisation of `href` attributes on `<a>` tags

Summary

Impact

Mitigation

Workarounds

7.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI