CVE-2023-23913

Name of the Vulnerable Software and Affected Versions rails-ujs versions 5.1.0 through 6.1.7.2 rails-ujs versions 5.1.0 through 7.0.4.2

Description There is a potential DOM based cross-site scripting issue in rails-ujs which leverages the Clipboard API to target HTML elements that are assigned the contenteditable attribute. This has the potential to occur when pasting malicious HTML content from the clipboard that includes a data-method, data-remote, or data-disable-with attribute. If the specified malicious HTML clipboard content is provided to a contenteditable element, this could result in the arbitrary execution of javascript on the origin in question.

Recommendations For versions 5.1.0 through 6.1.7.2, upgrade to version 6.1.7.3. For versions 5.1.0 through 7.0.4.2, upgrade to version 7.0.4.3. As a temporary workaround, consider removing the contenteditable attribute from elements in pages that rails-ujs will interact with. Apply the provided patches for the 6.1 series (rails-ujs-data-method-contenteditable-6-1.patch) or the 7.0 series (rails-ujs-data-method-contenteditable-7-0.patch) to aid in mitigation.