CVE-2024-32970

Name of the Vulnerable Software and Affected Versions Phlex versions prior to the patched versions available on RubyGems

Description The issue is a potential cross-site scripting (XSS) vulnerability that can be exploited via maliciously crafted user data. This occurs because the escapes were working as designed but did not account for how permissive browsers are when executing unsafe JavaScript via HTML attributes. If a user-provided link is used in an <a> tag's href attribute, it could execute JavaScript when clicked. Similarly, if user-provided attributes are used when rendering HTML or SVG tags, malicious event attributes could be included, executing JavaScript when events are triggered. The project now exercises every possible attack vector, including enumerating every ASCII character, and runs tests in Chrome, Firefox, and Safari. Additionally, tests are conducted against a list of 6613 known XSS payloads.

Recommendations For all affected versions of Phlex, users are advised to upgrade to a patched version available on RubyGems. As a temporary workaround for users unable to upgrade, configure a Content Security Policy that does not allow unsafe-inline to prevent exploitation. For users who upgrade, it is also recommended to configure a Content Security Policy header that does not allow unsafe-inline.