CVSS 3.1 Score 7.1 of 10 (high)


Published Mar 11, 2024
Updated: Mar 12, 2024


The CVE-2024-28199 vulnerability affects the phlex open source framework for building object-oriented views in Ruby. It is a potential cross-site scripting (XSS) vulnerability that can be exploited through maliciously crafted user data. The vulnerability arises from improper case-sensitivity in the code that was intended to prevent XSS attacks. If an <a> tag with a user-provided link is rendered, the link could execute JavaScript when clicked by another user. Similarly, if user-provided attributes are included when rendering any HTML tag, malicious event attributes could be triggered, executing JavaScript for another user. Patches are available on RubyGems for all 1.x minor versions and users are advised to upgrade. Alternatively, users unable to upgrade should consider configuring a content security policy that does not allow unsafe-inline. The vulnerability has a base severity of HIGH and poses a potential danger to organizations as it allows for unauthorized execution of JavaScript code, compromising confidentiality and potentially facilitating further attacks.

Explore Beyond the CVE Basics with Recorded Future's Vulnerability Intelligence

Note: This is just a basic overview providing quick insights into CVE-2024-28199 information. Gain full access to comprehensive CVE data, risk scores, prioritization, and mitigation data through Recorded Future's Vulnerability Intelligence:
  • Prioritize with Risk-Based Scoring
  • Explore the Extensive Vulnerability Database
  • Receive Early Alerts on Emerging CVEs
  • Focus on Critical Exploitable Vulnerabilities
  • Streamline Remediation with Integration Options