CVE-2024-39311

Name of the Vulnerable Software and Affected Versions Publify versions prior to 10.0.1 publify core rubygem versions prior to 10.0.2

Description The issue allows a publisher on a Publify application to perform a cross-site scripting (XSS) attack on an administrator using the redirect functionality. This requires the administrator to click a malicious link. An attack could attempt to hide their payload by using HTML or other encodings to make the link appear legitimate. A publisher may attempt to use this vulnerability to escalate their privileges and become an administrator.

Recommendations For Publify versions prior to 10.0.1, update to version 10.0.1 or later to fix the issue. For publify core rubygem versions prior to 10.0.2, update to version 10.0.2 or later to fix the issue. As a temporary workaround, consider restricting access to the redirect functionality until a patch is available. Avoid clicking on suspicious links from publishers to minimize the risk of exploitation.