Lucene search

Veracode Vulnerability DatabaseVERACODE:45845

HistoryMar 12, 2024 - 7:57 a.m.

Cross Site Scripting (XSS)

2024-03-1207:57:02

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

phlex

software

xss

vulnerability

case-sensitivity

sgml.rb

javascript

7.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N

6.2 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.6%

JSON

Phlex is vulnerable to a cross-site scripting (XSS). The vulnerability is due to improper case-sensitivity checks, rendering an `` tag with a user-provided link in the href attribute within the sgml.rb file, resulting in the execution of JavaScript when clicked on by another user.

CPENameOperatorVersion
phlexeq1.4.0
phlexeq1.7.0
phlexeq1.9.0
phlexeq1.1.0
phlexle1.5.1
phlexle1.2.1
phlexle1.0.0
phlexle1.3.2
phlexle1.8.1
phlexle1.6.1

Name	Operator	Version
phlex	eq	1.4.0
phlex	eq	1.7.0
phlex	eq	1.9.0
phlex	eq	1.1.0
phlex	le	1.5.1
phlex	le	1.2.1
phlex	le	1.0.0
phlex	le	1.3.2
phlex	le	1.8.1
phlex	le	1.6.1

Rows per page:

1-10 of 201

References

developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy

developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#unsafe-inline

github.com/phlex-ruby/phlex/commit/aa50c604cdee1d0ce7ef068a4c66cbd5d43f96a1

github.com/phlex-ruby/phlex/security/advisories/GHSA-242p-4v39-2v8g

7.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N

6.2 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.6%

JSON

Related for VERACODE:45845