VDB
CISA-2023-23913
CISA-2023-23913
PUBLISHED
CVSS 6.3 MEDIUM
Reported by hackerone · Published January 9, 2025
There is a potential DOM based cross-site scripting issue in rails-ujs which leverages the Clipboard API to target HTML elements that are assigned the contenteditable attribute. This has the potential to occur when pasting malicious HTML content from the clipboard that includes a data-method, data-remote or data-disable-with attribute.
Risk Scores
CVSS 3.1
6.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Rails | rails-ujs | 6.1.7.3, 7.0.4.3, 5.1.0 |
| Rails | rails-ujs | 6.1.7.3, 7.0.4.3, 5.1.0 |
Timeline
- Jan 9, 2025 CVE Published
- Jan 9, 2025 CVE Updated
- Apr 26, 2026 Distribution Patch