CVE-2024-39308 - Vulnerability Details - OpenCVE

ReportizFlow

RailsAdmin is a Rails engine that provides an interface for managing data. RailsAdmin list view has the XSS vulnerability, caused by improperly-escaped HTML title attribute. Upgrade to 3.1.3 or 2.2.2 (to be released).

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Rails Admin Project	Rails Admin

Configuration 1 [-]

OR	cpe:2.3:a:rails_admin_project:rails_admin::::::ruby::*
	cpe:2.3:a:rails_admin_project:rails_admin::::::ruby::*

No data.

References

Link	Providers
https://github.com/railsadminteam/rails_admin/commit/b5a287d82e2cbd1737a1a01e11ede2911cce7fef
https://github.com/railsadminteam/rails_admin/commit/d84b39884059c4ed50197cec8522cca029a17673
https://github.com/railsadminteam/rails_admin/issues/3686
https://github.com/railsadminteam/rails_admin/security/advisories/GHSA-8qgm-g2vv-vwvc
https://rubygems.org/gems/rails_admin/versions/2.3.0
https://rubygems.org/gems/rails_admin/versions/3.1.3

History

Thu, 22 Aug 2024 14:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Rails Admin Project Rails Admin Project rails Admin
CPEs		cpe:2.3:a:rails_admin_project:rails_admin::::::ruby::*
Vendors & Products		Rails Admin Project Rails Admin Project rails Admin
Metrics		cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-07-08T14:33:55.144Z

Updated: 2024-08-02T04:19:20.581Z

Reserved: 2024-06-21T18:15:22.259Z

Link: CVE-2024-39308

Vulnrichment

Updated: 2024-07-17T13:06:01.233Z

NVD

Status : Modified

Published: 2024-07-08T15:15:22.080

Modified: 2024-11-21T09:27:25.837

Link: CVE-2024-39308

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-39308", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-06-21T18:15:22.259Z", "datePublished": "2024-07-08T14:33:55.144Z", "dateUpdated": "2024-08-02T04:19:20.581Z"}, "containers": {"cna": {"title": "RailsAdmin Cross-site Scripting vulnerability in the list view", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N", "version": "3.0"}}], "references": [{"name": "https://github.com/railsadminteam/rails_admin/security/advisories/GHSA-8qgm-g2vv-vwvc", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/railsadminteam/rails_admin/security/advisories/GHSA-8qgm-g2vv-vwvc"}, {"name": "https://github.com/railsadminteam/rails_admin/issues/3686", "tags": ["x_refsource_MISC"], "url": "https://github.com/railsadminteam/rails_admin/issues/3686"}, {"name": "https://github.com/railsadminteam/rails_admin/commit/b5a287d82e2cbd1737a1a01e11ede2911cce7fef", "tags": ["x_refsource_MISC"], "url": "https://github.com/railsadminteam/rails_admin/commit/b5a287d82e2cbd1737a1a01e11ede2911cce7fef"}, {"name": "https://github.com/railsadminteam/rails_admin/commit/d84b39884059c4ed50197cec8522cca029a17673", "tags": ["x_refsource_MISC"], "url": "https://github.com/railsadminteam/rails_admin/commit/d84b39884059c4ed50197cec8522cca029a17673"}, {"name": "https://rubygems.org/gems/rails_admin/versions/2.3.0", "tags": ["x_refsource_MISC"], "url": "https://rubygems.org/gems/rails_admin/versions/2.3.0"}, {"name": "https://rubygems.org/gems/rails_admin/versions/3.1.3", "tags": ["x_refsource_MISC"], "url": "https://rubygems.org/gems/rails_admin/versions/3.1.3"}], "affected": [{"vendor": "railsadminteam", "product": "rails_admin", "versions": [{"version": ">= 3.0.0, < 3.1.3", "status": "affected"}, {"version": "< 2.3.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-07-08T14:33:55.144Z"}, "descriptions": [{"lang": "en", "value": "RailsAdmin is a Rails engine that provides an interface for managing data. RailsAdmin list view has the XSS vulnerability, caused by improperly-escaped HTML title attribute. Upgrade to 3.1.3 or 2.2.2 (to be released)."}], "source": {"advisory": "GHSA-8qgm-g2vv-vwvc", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-16T15:31:21.992694Z", "id": "CVE-2024-39308", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-17T13:06:05.683Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T04:19:20.581Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/railsadminteam/rails_admin/security/advisories/GHSA-8qgm-g2vv-vwvc", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/railsadminteam/rails_admin/security/advisories/GHSA-8qgm-g2vv-vwvc"}, {"name": "https://github.com/railsadminteam/rails_admin/issues/3686", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/railsadminteam/rails_admin/issues/3686"}, {"name": "https://github.com/railsadminteam/rails_admin/commit/b5a287d82e2cbd1737a1a01e11ede2911cce7fef", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/railsadminteam/rails_admin/commit/b5a287d82e2cbd1737a1a01e11ede2911cce7fef"}, {"name": "https://github.com/railsadminteam/rails_admin/commit/d84b39884059c4ed50197cec8522cca029a17673", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/railsadminteam/rails_admin/commit/d84b39884059c4ed50197cec8522cca029a17673"}, {"name": "https://rubygems.org/gems/rails_admin/versions/2.3.0", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://rubygems.org/gems/rails_admin/versions/2.3.0"}, {"name": "https://rubygems.org/gems/rails_admin/versions/3.1.3", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://rubygems.org/gems/rails_admin/versions/3.1.3"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-39308", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-16T15:31:21.992694Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-17T13:06:01.233Z"}}], "cna": {"title": "RailsAdmin Cross-site Scripting vulnerability in the list view", "source": {"advisory": "GHSA-8qgm-g2vv-vwvc", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_0": {"scope": "CHANGED", "version": "3.0", "baseScore": 6.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "railsadminteam", "product": "rails_admin", "versions": [{"status": "affected", "version": ">= 3.0.0, < 3.1.3"}, {"status": "affected", "version": "< 2.3.0"}]}], "references": [{"url": "https://github.com/railsadminteam/rails_admin/security/advisories/GHSA-8qgm-g2vv-vwvc", "name": "https://github.com/railsadminteam/rails_admin/security/advisories/GHSA-8qgm-g2vv-vwvc", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/railsadminteam/rails_admin/issues/3686", "name": "https://github.com/railsadminteam/rails_admin/issues/3686", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/railsadminteam/rails_admin/commit/b5a287d82e2cbd1737a1a01e11ede2911cce7fef", "name": "https://github.com/railsadminteam/rails_admin/commit/b5a287d82e2cbd1737a1a01e11ede2911cce7fef", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/railsadminteam/rails_admin/commit/d84b39884059c4ed50197cec8522cca029a17673", "name": "https://github.com/railsadminteam/rails_admin/commit/d84b39884059c4ed50197cec8522cca029a17673", "tags": ["x_refsource_MISC"]}, {"url": "https://rubygems.org/gems/rails_admin/versions/2.3.0", "name": "https://rubygems.org/gems/rails_admin/versions/2.3.0", "tags": ["x_refsource_MISC"]}, {"url": "https://rubygems.org/gems/rails_admin/versions/3.1.3", "name": "https://rubygems.org/gems/rails_admin/versions/3.1.3", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "RailsAdmin is a Rails engine that provides an interface for managing data. RailsAdmin list view has the XSS vulnerability, caused by improperly-escaped HTML title attribute. Upgrade to 3.1.3 or 2.2.2 (to be released)."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-07-08T14:33:55.144Z"}}}, "cveMetadata": {"cveId": "CVE-2024-39308", "state": "PUBLISHED", "dateUpdated": "2024-07-17T13:06:05.683Z", "dateReserved": "2024-06-21T18:15:22.259Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-07-08T14:33:55.144Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:rails_admin_project:rails_admin:*:*:*:*:*:ruby:*:*", "matchCriteriaId": "5835771A-4E7F-409A-939E-8442D2E9A5CE", "versionEndExcluding": "2.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:rails_admin_project:rails_admin:*:*:*:*:*:ruby:*:*", "matchCriteriaId": "516887D9-E69F-452C-B73F-7812CC6B4731", "versionEndExcluding": "3.1.3", "versionStartIncluding": "3.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "RailsAdmin is a Rails engine that provides an interface for managing data. RailsAdmin list view has the XSS vulnerability, caused by improperly-escaped HTML title attribute. Upgrade to 3.1.3 or 2.2.2 (to be released)."}, {"lang": "es", "value": "RailsAdmin es un motor Rails que proporciona una interfaz para gestionar datos. La vista de lista RailsAdmin tiene la vulnerabilidad XSS, causada por un atributo de t\u00edtulo HTML con escape incorrecto. Actualice a 3.1.3 o 2.2.2 (por publicarse)."}], "id": "CVE-2024-39308", "lastModified": "2024-11-21T09:27:25.837", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 2.3, "impactScore": 4.0, "source": "[email protected]", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "[email protected]", "type": "Primary"}]}, "published": "2024-07-08T15:15:22.080", "references": [{"source": "[email protected]", "tags": ["Patch"], "url": "https://github.com/railsadminteam/rails_admin/commit/b5a287d82e2cbd1737a1a01e11ede2911cce7fef"}, {"source": "[email protected]", "tags": ["Patch"], "url": "https://github.com/railsadminteam/rails_admin/commit/d84b39884059c4ed50197cec8522cca029a17673"}, {"source": "[email protected]", "tags": ["Issue Tracking"], "url": "https://github.com/railsadminteam/rails_admin/issues/3686"}, {"source": "[email protected]", "tags": ["Vendor Advisory"], "url": "https://github.com/railsadminteam/rails_admin/security/advisories/GHSA-8qgm-g2vv-vwvc"}, {"source": "[email protected]", "tags": ["Patch"], "url": "https://rubygems.org/gems/rails_admin/versions/2.3.0"}, {"source": "[email protected]", "tags": ["Patch"], "url": "https://rubygems.org/gems/rails_admin/versions/3.1.3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/railsadminteam/rails_admin/commit/b5a287d82e2cbd1737a1a01e11ede2911cce7fef"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/railsadminteam/rails_admin/commit/d84b39884059c4ed50197cec8522cca029a17673"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking"], "url": "https://github.com/railsadminteam/rails_admin/issues/3686"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://github.com/railsadminteam/rails_admin/security/advisories/GHSA-8qgm-g2vv-vwvc"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://rubygems.org/gems/rails_admin/versions/2.3.0"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://rubygems.org/gems/rails_admin/versions/3.1.3"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "[email protected]", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "[email protected]", "type": "Primary"}]}