7.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
6.7 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
15.5%
phlex is vulnerable to Cross Site Scripting. The vulnerability is due improper filtering of javascript: URL scheme within the href attribute of an `` tag, which allows an attacker to insert tab \t
or newline \n
characters between the characters of the protocol, resulting in Cross Site Scripting.
developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#unsafe-inline
github.com/advisories/GHSA-g7xq-xv8c-h98c
github.com/phlex-ruby/phlex/commit/9e3f5b980655817993682e409cbda72956d865cb
github.com/phlex-ruby/phlex/security/advisories/GHSA-g7xq-xv8c-h98c
7.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
6.7 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
15.5%