CVE-2023-23913
Cross-site Scripting (XSS) vulnerability in actionview (RubyGems)
What is CVE-2023-23913 About?
This vulnerability is a DOM-based Cross-site Scripting (XSS) issue in rails-ujs, affecting versions 5.1.0 and higher. It is triggered when pasting malicious HTML content from the clipboard into contenteditable elements, which can lead to arbitrary JavaScript execution. Exploitation requires user interaction and malicious clipboard content.
Affected Software
- actionview
- >=7.0.0, <7.0.4.3
- >=5.1.0, <6.1.7.3
Technical Details
The vulnerability leverages the Clipboard API within rails-ujs (versions >= 5.1.0) to facilitate a DOM-based Cross-site Scripting attack. When a user pastes malicious HTML content, specifically content containing data-method, data-remote, or data-disable-with attributes, into an HTML element with the contenteditable attribute, rails-ujs processes this pasted content without proper sanitization. This allows the embedded malicious JavaScript within the pasted HTML to be executed in the context of the origin, leading to client-side script execution.
What is the Impact of CVE-2023-23913?
Successful exploitation may allow attackers to execute arbitrary JavaScript in the victim's browser, enabling session hijacking, defacement, or redirection to malicious sites.
What is the Exploitability of CVE-2023-23913?
Exploitation complexity is moderate, as it requires user interaction (pasting malicious content from the clipboard) to trigger. No specific authentication or high privilege is required for the user who performs the paste operation. The vulnerability is local to the client's browser; however, an attacker could prepare a webpage that manipulates the user's clipboard or provides instructions for pasting. The primary constraint is convincing a user to paste specially crafted HTML into a contenteditable element on a vulnerable page. Risk factors include web applications that heavily utilize contenteditable elements, especially those that accept rich text input from untrusted sources, and social engineering to trick users into pasting malicious content.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-23913?
Available Upgrade Options
- actionview
- >=5.1.0, <6.1.7.3 → Upgrade to 6.1.7.3
- actionview
- >=7.0.0, <7.0.4.3 → Upgrade to 7.0.4.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/rails/rails
- https://www.debian.org/security/2023/dsa-5389
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033263
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033263
- https://github.com/rails/rails/commit/73009ea59a811b28e8ec2a9c9bc24635aa891214
- https://security.netapp.com/advisory/ntap-20240605-0007
- https://github.com/rails/rails/commit/5037a13614d71727af8a175063bcf6ba1a74bdbd
- https://security.netapp.com/advisory/ntap-20240605-0007/
- https://discuss.rubyonrails.org/t/cve-2023-23913-dom-based-cross-site-scripting-in-rails-ujs-for-contenteditable-html-elements/82468
- https://osv.dev/vulnerability/GHSA-xp5h-f8jf-rc8q
What are Similar Vulnerabilities to CVE-2023-23913?
Similar Vulnerabilities: CVE-2020-36599 , CVE-2015-9284 , CVE-2019-1002010 , CVE-2017-0904 , CVE-2018-3720
