RailsAdmin Cross-site Scripting vulnerability in the list view

2024-07-0814:14:43

Google

osv.dev

railsadmin

xss

vulnerability

list view

patch

workaround

html

upgrade

view file

xss attack

sanitizehelper

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

AI Score

6.2

Confidence

High

EPSS

0.001

Percentile

30.7%

JSON

Impact

RailsAdmin list view has the XSS vulnerability, caused by improperly-escaped HTML title attribute.
The issue was originally reported in https://github.com/railsadminteam/rails_admin/issues/3686.

Patches

Upgrade to 3.1.4. The vulnerability itself was patched in 3.1.3 but it has a functionality issue.
Initially the vulnerability was thought to exist in versions before 3.0, but it didn’t. 2.x users can stay on 2.2.1.

Workarounds

Copy the index view (located under the path app/views/rails_admin/main/index.html.erb) from the RailsAdmin version you use, and place it into your application by using the same path.
Open the view file by an editor, and change the way to populate the td tag:

               &lt;% properties.map{ |property| property.bind(:object, object) }.each do |property| %&gt;
                 &lt;% value = property.pretty_value %&gt;
-                <td>
+                &lt;%= content_tag(:td, class: [property.sticky? && 'sticky', property.css_class, property.type_css_class].select(&:present?), title: strip_tags(value.to_s)) do %&gt;
                   &lt;%= value %&gt;
-                </td>
+                &lt;% end %&gt;
               &lt;% end %&gt;

Note: The view file created by this needs to be removed after upgrading RailsAdmin afterwards, unless this old view continue to be used. Only do this if you can’t upgrade RailsAdmin now for a reason.