Phlex XSS protection bypass via attribute splatting, dynamic tags, and href values

Impact During a security audit conducted with Claude Opus 4.6 and GPT-5.3-Codex, we identified three specific ways to bypass the XSS cross-site-scripting protection built into Phlex. 1. The first bypass could happen if user-provided attributes with string keys were splatted into HTML tag, e.g...

GHSA-W67G-2H6V-VJGQ Phlex XSS protection bypass via attribute splatting, dynamic tags, and href values

Impact During a security audit conducted with Claude Opus 4.6 and GPT-5.3-Codex, we identified three specific ways to bypass the XSS cross-site-scripting protection built into Phlex. 1. The first bypass could happen if user-provided attributes with string keys were splatted into HTML tag, e.g...

MAL-2025-48503 Malicious code in phlex-core-ui (npm)

The package phlex-core-ui was found to contain malicious code...

Malicious code in phlex-core-ui (npm)

The package phlex-core-ui was found to contain malicious code...

EUVD-2024-1557

Malicious code in bioql PyPI...

CVE-2024-32970

Phlex is a framework for building object-oriented views in Ruby. In affected versions there is a potential cross-site scripting XSS vulnerability that can be exploited via maliciously crafted user data. Since the last two vulnerabilities...

CVE-2024-32463

phlex is an open source framework for building object-oriented views in Ruby. There is a potential cross-site scripting XSS vulnerability that can be exploited via maliciously crafted user data. The filter to detect and prevent the use of the javascript: URL scheme in the href attribute of an tag...

CVE-2024-28199

phlex is an open source framework for building object-oriented views in Ruby. There is a potential cross-site scripting XSS vulnerability that can be exploited via maliciously crafted user data. This was due to improper case-sensitivity in the code that was meant to prevent these attacks. If you...

Cross Site Scripting (XSS)

phlex is vulnerable to Cross Site Scripting XSS. The vulnerability is due to insufficient sanitization of user-provided data in HTML attributes. If an application renders an tag within a href attribute thats set to a user provided link, arbitrary JavaScript execution may occur due to overly...

GHSA-9P57-H987-4VGX Phlex vulnerable to Cross-site Scripting (XSS) via maliciously formed HTML attribute names and values

There is a potential cross-site scripting XSS vulnerability that can be exploited via maliciously crafted user data. The reason these issues were not detected before is the escapes were working as designed. However, their design didn't take into account just how recklessly permissive browser are...

Phlex vulnerable to Cross-site Scripting (XSS) via maliciously formed HTML attribute names and values

There is a potential cross-site scripting XSS vulnerability that can be exploited via maliciously crafted user data. The reason these issues were not detected before is the escapes were working as designed. However, their design didn't take into account just how recklessly permissive browser are...

CVE-2024-32970

Phlex is a framework for building object-oriented views in Ruby. In affected versions there is a potential cross-site scripting XSS vulnerability that can be exploited via maliciously crafted user data. Since the last two vulnerabilities...

Cross-site Scripting (XSS)

Overview phlex is a high-performance view framework optimised for fun. Affected versions of this package are vulnerable to Cross-site Scripting XSS due to the handling of user-provided data when rendering HTML or SVG tags. An attacker can execute arbitrary JavaScript on the victim's browser by...

CVE-2024-32970 Cross-site Scripting (XSS) possible with maliciously formed HTML attribute names and values in Phlex

Phlex is a framework for building object-oriented views in Ruby. In affected versions there is a potential cross-site scripting XSS vulnerability that can be exploited via maliciously crafted user data. Since the last two vulnerabilities...

CVE-2024-32970 Cross-site Scripting (XSS) possible with maliciously formed HTML attribute names and values in Phlex

Phlex is a framework for building object-oriented views in Ruby. In affected versions there is a potential cross-site scripting XSS vulnerability that can be exploited via maliciously crafted user data. Since the last two vulnerabilities...

CVE-2024-32970

CVE-2024-32970 affects the Phlex Ruby framework. The XSS vulnerability arises from how user-provided input is rendered into HTML attributes (e.g., href or dynamic attribute names/values), allowing JavaScript execution in some contexts. Vulnerable details and remediation are documented across mult...

CVE-2024-32970 Cross-site Scripting (XSS) possible with maliciously formed HTML attribute names and values in Phlex

Phlex is a framework for building object-oriented views in Ruby. In affected versions there is a potential cross-site scripting XSS vulnerability that can be exploited via maliciously crafted user data. Since the last two vulnerabilities...

PT-2024-25017 · Phlex · Phlex

Name of the Vulnerable Software and Affected Versions: Phlex versions prior to the patched versions available on RubyGems Description: The issue is a potential cross-site scripting XSS vulnerability that can be exploited via maliciously crafted user data. This occurs because the escapes were...

phlex 安全漏洞

phlex is a framework for building object-oriented views in Ruby. A security vulnerability exists in Phlex versions prior to 1.10.2, which stems from maliciously generated HTML attribute names and values in Phlex that could lead to cross-site scripting...

CVE-2024-32463

phlex is an open source framework for building object-oriented views in Ruby. There is a potential cross-site scripting XSS vulnerability that can be exploited via maliciously crafted user data. The filter to detect and prevent the use of the javascript: URL scheme in the href attribute of an tag...