Cenk Kücük

**Name of the Vulnerable Software and Affected Versions** phoenix storybook versions 0.5.0 through 1.0.x **Description** Unauthenticated remote code execution is possible due to unsanitized attribute value interpolation during HEEx template generation. The `psb-assign` WebSocket event handler in the `handle event/3` function of `Elixir.PhoenixStorybook.Story.PlaygroundPreviewLive` accepts arbitrary attribute names and values from unauthenticated clients. These are processed by the `handle set variation assign/3` function in `Elixir.PhoenixStorybook.Helpers.ExtraAssignsHelpers` and stored verbatim. During rendering, the `attributes markup/1` function in `Elixir.PhoenixStorybook.Rendering.ComponentRenderer` interpolates these values into a HEEx template string without escaping double quotes or expression delimiters. An attacker can inject a closing quote followed by a HEEx expression block, which is then compiled via `EEx.compile string/2` and executed via `Code.eval quoted with env/3` with full Kernel imports and no sandbox, allowing arbitrary code execution on the server. **Recommendations** Update phoenix storybook to version 1.1.0 or later.