CVE-2023-23913

medium

Description

There is a potential DOM based cross-site scripting issue in rails-ujs which leverages the Clipboard API to target HTML elements that are assigned the contenteditable attribute. This has the potential to occur when pasting malicious HTML content from the clipboard that includes a data-method, data-remote or data-disable-with attribute.

References

https://www.debian.org/security/2023/dsa-5389

https://security.netapp.com/advisory/ntap-20240605-0007/

https://github.com/rails/rails/commit/5037a13614d71727af8a175063bcf6ba1a74bdbd

https://discuss.rubyonrails.org/t/cve-2023-23913-dom-based-cross-site-scripting-in-rails-ujs-for-contenteditable-html-elements/82468

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033263

Details

Source: Mitre, NVD

Published: 2025-01-09

Updated: 2025-01-09

Risk Information

CVSS v2

Base Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N

Severity: High

CVSS v3

Base Score: 6.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

Severity: Medium