CVE-2023-23913

There is a potential DOM based cross-site scripting issue in rails-ujs which leverages the Clipboard API to target HTML elements that are assigned the contenteditable attribute. This has the potential to occur when pasting malicious HTML content from the clipboard that includes a data-method, data-remote or data-disable-with attribute.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
hackeroneCNA
---
---
CISA-ADPADP
6.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 7%
Debian logo
Debian Releases
Debian Product
Codename
rails
bullseye (security)
2:6.0.3.7+dfsg-2+deb11u2
fixed
bullseye
2:6.0.3.7+dfsg-2+deb11u2
fixed
bookworm
2:6.1.7.3+dfsg-2~deb12u1
fixed
trixie
2:6.1.7.3+dfsg-4
fixed
sid
2:6.1.7.3+dfsg-4
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
rails
oracular
needs-triage
noble
needs-triage
mantic
ignored
lunar
ignored
kinetic
ignored
jammy
needs-triage
focal
needs-triage
bionic
needs-triage
xenial
needs-triage
trusty
ignored
rails-4.0
kinetic
dne
jammy
dne
focal
dne
bionic
dne
xenial
dne
trusty
ignored
ruby-actionpack-3.2
kinetic
dne
jammy
dne
focal
dne
bionic
dne
xenial
dne
trusty
ignored
ruby-activemodel-3.2
kinetic
dne
jammy
dne
focal
dne
bionic
dne
xenial
dne
trusty
ignored
ruby-activerecord-3.2
kinetic
dne
jammy
dne
focal
dne
bionic
dne
xenial
dne
trusty
ignored
ruby-activesupport-3.2
kinetic
dne
jammy
dne
focal
dne
bionic
dne
xenial
dne
trusty
ignored
ruby-rails-3.2
kinetic
dne
jammy
dne
focal
dne
bionic
dne
xenial
dne
trusty
ignored
Common Weakness Enumeration
References
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033263
https://discuss.rubyonrails.org/t/cve-2023-23913-dom-based-cross-site-scripting-in-rails-ujs-for-contenteditable-html-elements/82468
https://github.com/rails/rails/commit/5037a13614d71727af8a175063bcf6ba1a74bdbd
https://security.netapp.com/advisory/ntap-20240605-0007/
https://www.debian.org/security/2023/dsa-5389