2182160 – (CVE-2023-23913) CVE-2023-23913 rails: DOM Based Cross-site Scripting in rails-ujs for contenteditable HTML Elements

Bug 2182160 (CVE-2023-23913) - CVE-2023-23913 rails: DOM Based Cross-site Scripting in rails-ujs for contenteditable HTML Elements

Summary: CVE-2023-23913 rails: DOM Based Cross-site Scripting in rails-ujs for content...

Keywords:
Status:	NEW
Alias:	CVE-2023-23913
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2180264
TreeView+	depends on / blocked

Reported:	2023-03-27 17:50 UTC by Patrick Del Bello
Modified:	2023-07-07 08:31 UTC (History)
CC List:	5 users (show)
Fixed In Version:	rails 6.1.7.3, rails 7.0.4.3
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Patrick Del Bello 2023-03-27 17:50:19 UTC

There is a potential DOM based cross-site scripting issue in rails-ujs which leverages the Clipboard API to target HTML elements that are assigned the contenteditable attribute. This has the potential to occur when pasting malicious HTML content from the clipboard that includes a data-method, data-remote or data-disable-with attribute.

This vulnerability has been assigned the CVE identifier CVE-2023-23913.

Versions Affected: >= 5.1.0 Not affected: < 5.1.0 Fixed Versions: 6.1.7.3, 7.0.4.3

Note You need to log in before you can comment on or make changes to this bug.