Users settings their active admin form legends dynamically may be vulnerable to stored XSS, as long as its value can be injected directly by a malicious user.
For example:
name
value dependent on an attribute of the resource
):form do |f|
f.inputs name: resource.name do
f.input :name
f.input :description
end
f.actions
end
Then a malicious user could create an entity with a payload that would get executed in the active admin administrator’s browser.
Both form
blocks with an implicit or explicit name (i.e., both form resource.name
or form name: resource.name
would suffer from the problem), where the value of the name can be arbitrarily set by non admin users.
CPE | Name | Operator | Version |
---|---|---|---|
gem/activeadmin | lt | 3.2.2 | |
gem/activeadmin | ge | 4.0.0.beta1 | |
gem/activeadmin | lt | 4.0.0.beta7 |