Medium severity6.3OSV Advisory· Published Jan 9, 2025· Updated Jun 17, 2026
CVE-2023-23913
CVE-2023-23913
Description
There is a potential DOM based cross-site scripting issue in rails-ujs which leverages the Clipboard API to target HTML elements that are assigned the contenteditable attribute. This has the potential to occur when pasting malicious HTML content from the clipboard that includes a data-method, data-remote or data-disable-with attribute.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
actionviewRubyGems | >= 5.1.0, < 6.1.7.3 | 6.1.7.3 |
actionviewRubyGems | >= 7.0.0, < 7.0.4.3 | 7.0.4.3 |
Affected products
9- Range: v0.10.0, v0.10.1, v0.11.0, …
- ghsa-coords8 versionspkg:gem/actionviewpkg:rpm/opensuse/rubygem-actionview-5_1&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/rubygem-actionview-5_1&distro=openSUSE%20Leap%2015.5pkg:rpm/suse/rubygem-actionview-5_1&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP1pkg:rpm/suse/rubygem-actionview-5_1&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP2pkg:rpm/suse/rubygem-actionview-5_1&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP3pkg:rpm/suse/rubygem-actionview-5_1&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP4pkg:rpm/suse/rubygem-actionview-5_1&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP5
>= 5.1.0, < 6.1.7.3+ 7 more
- (no CPE)range: >= 5.1.0, < 6.1.7.3
- (no CPE)range: < 5.1.4-150000.3.9.1
- (no CPE)range: < 5.1.4-150000.3.9.1
- (no CPE)range: < 5.1.4-150000.3.9.1
- (no CPE)range: < 5.1.4-150000.3.9.1
- (no CPE)range: < 5.1.4-150000.3.9.1
- (no CPE)range: < 5.1.4-150000.3.9.1
- (no CPE)range: < 5.1.4-150000.3.9.1
Patches
Vulnerability mechanics
References
10- github.com/advisories/GHSA-xp5h-f8jf-rc8qghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-23913ghsaADVISORY
- bugs.debian.org/cgi-bin/bugreport.cginvdWEB
- discuss.rubyonrails.org/t/cve-2023-23913-dom-based-cross-site-scripting-in-rails-ujs-for-contenteditable-html-elements/82468nvdWEB
- github.com/rails/rails/commit/5037a13614d71727af8a175063bcf6ba1a74bdbdnvdWEB
- github.com/rails/rails/commit/73009ea59a811b28e8ec2a9c9bc24635aa891214ghsaWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2023-23913.ymlghsaWEB
- security.netapp.com/advisory/ntap-20240605-0007ghsaWEB
- www.debian.org/security/2023/dsa-5389nvdWEB
- security.netapp.com/advisory/ntap-20240605-0007/nvd
News mentions
0No linked articles in our index yet.