QwikSec

Security Database

CVE

CWE

Training

CVE-2023-23913

Published: Jan 9, 2025

Modified: Jan 9, 2025

PUBLISHED

Description

There is a potential DOM based cross-site scripting issue in rails-ujs which leverages the Clipboard API to target HTML elements that are assigned the contenteditable attribute. This has the potential to occur when pasting malicious HTML content from the clipboard that includes a data-method, data-remote or data-disable-with attribute.

Vendor	Product	Versions
Rails	rails-ujs	affected `6.1.7.3 - < 6.1.7.3` affected `7.0.4.3 - < 7.0.4.3` unaffected `5.1.0 - < 5.1.0`

References

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033263

https://discuss.rubyonrails.org/t/cve-2023-23913-dom-based-cross-site-scripting-in-rails-ujs-for-contenteditable-html-elements/82468

https://github.com/rails/rails/commit/5037a13614d71727af8a175063bcf6ba1a74bdbd

https://security.netapp.com/advisory/ntap-20240605-0007/

https://www.debian.org/security/2023/dsa-5389

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.