1209826 – (CVE-2023-23913) VUL-0: CVE-2023-23913: rubygem-jquery-rails, rubygem-actionview-*: DOM Based Cross-site Scripting in rails-ujs

Bug 1209826 (CVE-2023-23913) - VUL-0: CVE-2023-23913: rubygem-jquery-rails, rubygem-actionview-*: DOM Based Cross-site Scripting in rails-ujs

Summary: VUL-0: CVE-2023-23913: rubygem-jquery-rails, rubygem-actionview-*: DOM Based ...

Status:	RESOLVED FIXED

Alias:	CVE-2023-23913

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Major
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	package coldpool

URL:	https://smash.suse.de/issue/361453/
Whiteboard:	CVSSv3.1:SUSE:CVE-2023-23913:7.5:(AV:...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2023-03-28 09:10 UTC by Robert Frohl
Modified:	2024-05-06 08:51 UTC (History)
CC List:	5 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robert Frohl 2023-03-28 09:10:39 UTC

CVE-2023-23913

There is a potential DOM based cross-site scripting issue in rails-ujs which leverages the Clipboard API to target HTML elements that are assigned the contenteditable attribute. This has the potential to occur when pasting malicious HTML content from the clipboard that includes a data-method, data-remote or data-disable-with attribute.

This vulnerability has been assigned the CVE identifier CVE-2023-23913.

Versions Affected: >= 5.1.0 Not affected: < 5.1.0 Fixed Versions: 6.1.7.3, 7.0.4.3

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-23913
https://bugzilla.redhat.com/show_bug.cgi?id=2182160

Comment 1 Robert Frohl 2023-03-28 09:12:47 UTC

the old versions we ship are not affected, but will leave the bug open in case there are updates planned.

Comment 4 Thomas Leroy 2023-06-05 12:20:37 UTC

Any news Manuel?

Comment 8 Petr Gajdos 2023-09-21 08:11:33 UTC

https://discuss.rubyonrails.org/t/cve-2023-23913-dom-based-cross-site-scripting-in-rails-ujs-for-contenteditable-html-elements/82468

Comment 9 Petr Gajdos 2023-09-21 09:46:59 UTC

https://github.com/rails/rails/commit/8e3449908c59858384ae230d1416c7dcabc8c2dc

Comment 10 Petr Gajdos 2023-09-21 10:44:11 UTC

submitted: 15/rubygem-actionview-5_1

Comment 12 Maintenance Automation 2023-09-27 16:30:12 UTC

SUSE-SU-2023:3813-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1209826
CVE References: CVE-2023-23913
Sources used:
SUSE Linux Enterprise High Availability Extension 15 SP4 (src): rubygem-actionview-5_1-5.1.4-150000.3.9.1
SUSE Linux Enterprise High Availability Extension 15 SP5 (src): rubygem-actionview-5_1-5.1.4-150000.3.9.1
openSUSE Leap 15.4 (src): rubygem-actionview-5_1-5.1.4-150000.3.9.1
openSUSE Leap 15.5 (src): rubygem-actionview-5_1-5.1.4-150000.3.9.1
SUSE Linux Enterprise High Availability Extension 15 SP1 (src): rubygem-actionview-5_1-5.1.4-150000.3.9.1
SUSE Linux Enterprise High Availability Extension 15 SP2 (src): rubygem-actionview-5_1-5.1.4-150000.3.9.1
SUSE Linux Enterprise High Availability Extension 15 SP3 (src): rubygem-actionview-5_1-5.1.4-150000.3.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 13 Petr Gajdos 2023-10-12 12:05:47 UTC

I believe all fixed.

Comment 14 Robert Frohl 2024-05-06 08:51:08 UTC

done, closing