Lucene search

RubySecRUBY:PAY-2023-30614

HistoryApr 19, 2023 - 9:00 p.m.

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in Pay

2023-04-1921:00:00

RubySec

github.com

pay

xss

payment info

cross-site scripting

security patch

version 6.3.2

sanitize

relative paths

rails application

user-generated content

email distribution

CVSS3

7.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

EPSS

0.001

Percentile

36.1%

JSON

Impact
A payments info page of Pay is susceptible to reflected Cross-site
scripting. An attacker could create a working URL that renders a
javascript link to a user on a Rails application that integrates
Pay. This URL could be distributed via email to specifically target
certain individuals. If the targeted application contains a
functionality to submit user-generated content (such as comments)
the attacker could even distribute the URL using that functionality.
Patches
This has been patched in version 6.3.2 and above.
Pay will now sanitize the back parameter and only permit relative paths.

Affected configurations

Vulners

Node

rubypayRange≤6.3.2

VendorProductVersionCPE
rubypay*cpe:2.3:a:ruby:pay:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ruby	pay	*	cpe:2.3:a:ruby:pay::::::::

References

github.com/pay-rails/pay/security/advisories/GHSA-cqf3-vpx7-rxhw