CVE-2024-32463

Summary

CVE-2024-32463 is a vulnerability in the open source framework called phlex, used for building object-oriented views in Ruby. The vulnerability is a cross-site scripting (XSS) issue that can be exploited through maliciously crafted user data. It allows the bypassing of the filter that detects and prevents the use of the `javascript:` URL scheme in the `href` attribute of an `<a>` tag by using tab `\t` or newline `\n` characters between the characters of the protocol. This vulnerability has been fixed in versions 1.10.1, 1.9.2, 1.8.3, 1.7.2, 1.6.3, 1.5.3, and 1.4.2 of phlex by configuring a Content Security Policy that disallows `unsafe-inline`. The potential danger to organizations is relatively high as it can lead to unauthorized execution of scripts on users' browsers and potentially compromise sensitive information.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.