VDB

CISA-2023-23913

CISA-2023-23913 PUBLISHED CVSS 6.3 MEDIUM

Reported by hackerone · Published January 9, 2025

There is a potential DOM based cross-site scripting issue in rails-ujs which leverages the Clipboard API to target HTML elements that are assigned the contenteditable attribute. This has the potential to occur when pasting malicious HTML content from the clipboard that includes a data-method, data-remote or data-disable-with attribute.

Risk Scores

CVSS 3.1
6.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

Affected Products

VendorProductVersions
Railsrails-ujs6.1.7.3, 7.0.4.3, 5.1.0
Railsrails-ujs6.1.7.3, 7.0.4.3, 5.1.0

Timeline

  • Jan 9, 2025 CVE Published
  • Jan 9, 2025 CVE Updated
  • Apr 26, 2026 Distribution Patch

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›