CVE-2024-37031

Name of the Vulnerable Software and Affected Versions Active Admin versions prior to 3.2.2 Active Admin version 4.0.0.beta7 is a fixed version, implying versions prior to 4.0.0.beta7 are also affected, but since 3.2.2 is mentioned as a fixed version, we only consider versions prior to 3.2.2 as vulnerable.

Description The issue allows stored XSS in certain situations where users can create entities with arbitrary names, specifically a "dynamic form legends" issue. This can occur when users set their active admin form legends dynamically, making them vulnerable to stored XSS if the value can be injected directly by a malicious user. For example, a public web application that allows users to create entities with arbitrary names, which are then administered through a private backend using Active Admin, could be vulnerable. A malicious user could create an entity with a payload that would get executed in the Active Admin administrator's browser. Both form blocks with implicit or explicit names that can be set by non-admin users are affected.

Recommendations For versions prior to 3.2.2, upgrade to version 3.2.2 or later to resolve the issue. As a temporary workaround for versions prior to 3.2.2, users can explicitly escape the form name using an HTML escaping utility, such as ERB::Util.html escape(resource.name), to prevent the stored XSS vulnerability.