Description
There is a potential DOM based cross-site scripting issue in rails-ujs which leverages the Clipboard API to target HTML elements that are assigned the contenteditable attribute. This has the potential to occur when pasting malicious HTML content from the clipboard that includes a data-method, data-remote or data-disable-with attribute.
Published: 2025-01-09
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-5389-1 rails security update
Github GHSA Github GHSA GHSA-xp5h-f8jf-rc8q rails-ujs vulnerable to DOM Based Cross-site Scripting contenteditable HTML Elements
History

Thu, 09 Jan 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L'}


Thu, 09 Jan 2025 01:00:00 +0000

Type Values Removed Values Added
Description A flaw was found in Rails. rails-ujs may allow an attacker to perform Cross-Site Scripting (XSS), which could lead to stolen information, phishing attacks, and other types of attacks. There is a potential DOM based cross-site scripting issue in rails-ujs which leverages the Clipboard API to target HTML elements that are assigned the contenteditable attribute. This has the potential to occur when pasting malicious HTML content from the clipboard that includes a data-method, data-remote or data-disable-with attribute.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: hackerone

Published:

Updated: 2025-01-09T17:09:39.091Z

Reserved: 2023-01-19T18:13:13.209Z

Link: CVE-2023-23913

cve-icon Vulnrichment

Updated: 2025-01-09T17:09:32.997Z

cve-icon NVD

Status : Deferred

Published: 2025-01-09T01:15:07.257

Modified: 2026-06-17T05:38:15.710

Link: CVE-2023-23913

cve-icon Redhat

Severity : Moderate

Publid Date: 2023-03-20T00:00:00Z

Links: CVE-2023-23913 - Bugzilla

cve-icon OpenCVE Enrichment

No data.

Weaknesses