CVE-2024-37031

The Active Admin (activeadmin) framework for Ruby on Rails, prior to version 3.2.2, contains a stored cross-site scripting (XSS) vulnerability in its dynamic form legends functionality. The issue arises when users with the ability to create entities (such as resources or records) can supply arbitrary names that are later rendered as form legends without proper escaping. This allows an attacker to inject malicious HTML or JavaScript into the page [1][2].

Exploitation requires that an attacker has the ability to create or edit entities within the Active Admin interface. The injected payload is stored on the server and subsequently executed in the browser of any administrator or user who views the form containing the malicious legend. No additional authentication bypass is needed beyond the standard privileges required to create or edit entities, making it a targeted attack against users with higher-level access [3].

The impact of successful exploitation is a stored XSS attack, which could lead to session hijacking, defacement, or theft of sensitive information within the administrative interface. The vulnerability is rated Medium (CVSS 6.1) due to the requirement that the attacker must have an account with entity creation permissions [1].

Version 3.2.2 of the activeadmin gem fixes the issue by escaping the legend output. The fix was backported to the 3-0-stable branch and is also available in the 4.0.0.beta7 release. Users are strongly advised to upgrade to either of these patched versions [2][3][4].