Christian Blavier

**Name of the Vulnerable Software and Affected Versions** phoenix storybook versions 0.4.0 through 1.0.x **Description** An authorization bypass occurs due to user-controlled keys, allowing cross-session PubSub topic injection via a URL query parameter. The function `handle params/3` in `Elixir.PhoenixStorybook.Story.ComponentIframeLive` reads a PubSub topic directly from the `topic` parameter and broadcasts the iframe process pid without verifying if the topic belongs to the requesting session. This allows an attacker to load the endpoint '/storybook/iframe/<story>' with a `topic` parameter belonging to a victim, causing the victim's playground to send private control messages, such as variation state and theme switches, to the attacker's iframe process. **Recommendations** Update phoenix storybook to version 1.1.0.

**Name of the Vulnerable Software and Affected Versions** phoenix storybook versions 0.5.0 through 1.0.x **Description** Unauthenticated remote code execution is possible due to unsanitized attribute value interpolation during HEEx template generation. The `psb-assign` WebSocket event handler in the `handle event/3` function of `Elixir.PhoenixStorybook.Story.PlaygroundPreviewLive` accepts arbitrary attribute names and values from unauthenticated clients. These are processed by the `handle set variation assign/3` function in `Elixir.PhoenixStorybook.Helpers.ExtraAssignsHelpers` and stored verbatim. During rendering, the `attributes markup/1` function in `Elixir.PhoenixStorybook.Rendering.ComponentRenderer` interpolates these values into a HEEx template string without escaping double quotes or expression delimiters. An attacker can inject a closing quote followed by a HEEx expression block, which is then compiled via `EEx.compile string/2` and executed via `Code.eval quoted with env/3` with full Kernel imports and no sandbox, allowing arbitrary code execution on the server. **Recommendations** Update phoenix storybook to version 1.1.0 or later.

**Name of the Vulnerable Software and Affected Versions** phenixdigital phoenix storybook versions 0.2.0 through 1.0.x **Description** An unauthenticated denial-of-service can occur via BEAM atom table exhaustion. Multiple LiveView event handlers convert user-supplied event parameter strings to atoms using `String.to atom/1` without validation. Specifically, the following functions are affected: - `handle set variation assign/3` interns every key of the `psb-assign` params map. - `handle toggle variation assign/3` interns the `attr` value from `psb-toggle` events. - `to variation id/2` interns elements of `variation id`. - `to value/4` interns raw string values for attributes declared as `:atom` or `:boolean`. BEAM atoms are never garbage-collected, meaning each unique attacker-controlled string results in a permanent allocation. When the atom table ceiling of approximately 1,048,576 atoms is reached, the entire BEAM node aborts, causing all applications running on it to crash. **Recommendations** Update to version 1.1.0 or later.