CVE-2024-28199

Summary

The CVE-2024-28199 vulnerability affects the phlex open source framework for building object-oriented views in Ruby. It is a potential cross-site scripting (XSS) vulnerability that can be exploited through maliciously crafted user data. The vulnerability arises from improper case-sensitivity in the code that was intended to prevent XSS attacks. If an `<a>` tag with a user-provided link is rendered, the link could execute JavaScript when clicked by another user. Similarly, if user-provided attributes are included when rendering any HTML tag, malicious event attributes could be triggered, executing JavaScript for another user. Patches are available on RubyGems for all 1.x minor versions and users are advised to upgrade. Alternatively, users unable to upgrade should consider configuring a content security policy that does not allow `unsafe-inline`. The vulnerability has a base severity of HIGH and poses a potential danger to organizations as it allows for unauthorized execution of JavaScript code, compromising confidentiality and potentially facilitating further attacks.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.