CVE-2023-30614

Name of the Vulnerable Software and Affected Versions Pay versions prior to 6.3.2

Description A payments info page of Pay is susceptible to reflected Cross-site scripting. An attacker could create a working URL that renders a javascript link to a user on a Rails application that integrates Pay. This URL could be distributed via email to specifically target certain individuals. If the targeted application contains a functionality to submit user-generated content (such as comments) the attacker could even distribute the URL using that functionality. The back parameter is not properly sanitized, allowing an attacker to exploit this issue.

Recommendations For Pay versions prior to 6.3.2, upgrade to version 6.3.2 or above to patch the vulnerability. As a temporary workaround, consider restricting access to the payments info page until the issue is resolved. Additionally, restrict the use of the back parameter to only permit relative paths.