CVE-2024-39308

Name of the Vulnerable Software and Affected Versions RailsAdmin versions prior to 3.1.3 RailsAdmin version 2.2.1 and earlier

Description The issue is caused by an improperly-escaped HTML title attribute in the list view of RailsAdmin, leading to a Cross-site Scripting (XSS) vulnerability. The estimated number of potentially affected devices is not specified. There is no information about real-world incidents where this issue was exploited.

Recommendations For versions prior to 3.1.3, upgrade to 3.1.4. For version 2.2.1 and earlier, stay on 2.2.1 or apply the workaround by copying the index view from the RailsAdmin version being used, modifying it to properly escape the HTML title attribute using strip tags(value.to s), and placing it in the application. This workaround should be removed after upgrading RailsAdmin.