CVE-2023-23913Cross-site Scripting in Rails Rails-ujs

CWE-79Cross-site Scripting7 documents6 sources
Severity
6.3MEDIUMNVD
EPSS
0.2%
top 64.08%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Rails Rails-ujsRubyonrails RailsRails Actionview
Timeline
PublishedJan 9

Description

There is a potential DOM based cross-site scripting issue in rails-ujs which leverages the Clipboard API to target HTML elements that are assigned the contenteditable attribute. This has the potential to occur when pasting malicious HTML content from the clipboard that includes a data-method, data-remote or data-disable-with attribute.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:LExploitability: 2.8 | Impact: 3.4

Affected Packages3 packages

CVEListV5rails/rails-ujs6.1.7.36.1.7.3+1
RubyGemsrails/actionview5.1.06.1.7.3+1
Debianrubyonrails/rails< 2:6.0.3.7+dfsg-2+deb11u2+3

🔴Vulnerability Details

4
OSV
CVE-2023-23913: There is a potential DOM based cross-site scripting issue in rails-ujs which leverages the Clipboard API to target HTML elements that are assigned the2025-01-09
CVEList
CVE-2023-23913: There is a potential DOM based cross-site scripting issue in rails-ujs which leverages the Clipboard API to target HTML elements that are assigned the2025-01-09
OSV
rails-ujs vulnerable to DOM Based Cross-site Scripting contenteditable HTML Elements2023-06-09
GHSA
rails-ujs vulnerable to DOM Based Cross-site Scripting contenteditable HTML Elements2023-06-09

📋Vendor Advisories

2
Red Hat
rails: DOM Based Cross-site Scripting in rails-ujs for contenteditable HTML Elements2023-03-20
Debian
CVE-2023-23913: rails - There is a potential DOM based cross-site scripting issue in rails-ujs which lev...2023
CVE-2023-23913 — Cross-site Scripting in Rails | cvebase