CVE-2024-32463

Name of the Vulnerable Software and Affected Versions phlex versions prior to 1.10.1 phlex versions prior to 1.9.2 phlex versions prior to 1.8.3 phlex versions prior to 1.7.2 phlex versions prior to 1.6.3 phlex versions prior to 1.5.3 phlex versions prior to 1.4.2

Description There is a potential cross-site scripting (XSS) vulnerability that can be exploited via maliciously crafted user data. The filter to detect and prevent the use of the javascript: URL scheme in the href attribute of an <a> tag could be bypassed with tab t or newline characters between the characters of the protocol, e.g. javatscript:. If you render an <a> tag with an href attribute set to a user-provided link, that link could potentially execute JavaScript when clicked by another user.

Recommendations For versions prior to 1.10.1, update to version 1.10.1. For versions prior to 1.9.2, update to version 1.9.2. For versions prior to 1.8.3, update to version 1.8.3. For versions prior to 1.7.2, update to version 1.7.2. For versions prior to 1.6.3, update to version 1.6.3. For versions prior to 1.5.3, update to version 1.5.3. For versions prior to 1.4.2, update to version 1.4.2. As a temporary workaround, consider configuring a Content Security Policy that does not allow unsafe-inline to prevent this vulnerability from being exploited.