CVE-2024-39308 RailsAdmin Cross-site Scripting vulnerability in the list view

2024-07-0814:33:55

CWE-79

GitHub_M

www.cve.org

cve-2024-39308

railsadmin

cross-site scripting

list view

upgrade

html title attribute

CVSS3

6.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N

EPSS

0.001

Percentile

30.7%

JSON

RailsAdmin is a Rails engine that provides an interface for managing data. RailsAdmin list view has the XSS vulnerability, caused by improperly-escaped HTML title attribute. Upgrade to 3.1.3 or 2.2.2 (to be released).

CNA Affected

[
  {
    "vendor": "railsadminteam",
    "product": "rails_admin",
    "versions": [
      {
        "version": ">= 3.0.0, < 3.1.3",
        "status": "affected"
      },
      {
        "version": "< 2.3.0",
        "status": "affected"
      }
    ]
  }
]