CVE-2023-23913 — rails - security update

Description

There is a potential DOM based cross-site scripting issue in rails-ujs which leverages the Clipboard API to target HTML elements that are assigned the contenteditable attribute. This has the potential to occur when pasting malicious HTML content from the clipboard that includes a data-method, data-remote or data-disable-with attribute.

How to fix CVE-2023-23913

To remediate CVE-2023-23913, upgrade the affected package to a fixed version below.

—upgrade to 2:6.0.3.7+dfsg-2+deb11u2 or later
—upgrade to 2:6.0.3.7+dfsg-2+deb11u2 or later
—upgrade to 6.1.7.3 or later

Is CVE-2023-23913 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

from 0, < 2:6.0.3.7+dfsg-2+deb11u2
from 0, < 2:6.0.3.7+dfsg-2+deb11u2
>= 5.1.0, < 6.1.7.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

References (10)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-23913
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2023-23913
PATCHgithub.com/rails/rails
WEBbugs.debian.org/cgi-bin/bugreport.cgi?bug=1033263