VYPR
← All advisories
Moderate severityNVD Advisory· Published Jul 8, 2024· Updated Aug 2, 2024

RailsAdmin Cross-site Scripting vulnerability in the list view

CVE-2024-39308

Description

RailsAdmin is a Rails engine that provides an interface for managing data. RailsAdmin list view has the XSS vulnerability, caused by improperly-escaped HTML title attribute. Upgrade to 3.1.3 or 2.2.2 (to be released).

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CVE-2024-39308 is a stored XSS vulnerability in RailsAdmin's list view due to improperly escaped HTML title attributes, fixed in versions 3.1.3 and 2.2.2.

Vulnerability

Description RailsAdmin, a Rails engine providing a management interface for data, contains a stored cross-site scripting (XSS) vulnerability in its list view. The flaw arises from improper escaping of the HTML title attribute when displaying record values. Instead of escaping the value, strip_tags was removed, allowing unsanitized content to be injected directly into the attribute [1][3][4].

Exploitation

An attacker with access to create or edit records can inject a malicious payload into a field value, such as " onclick="alert()" ". When an administrator or other user views the list page, the payload is rendered in the title attribute of the table cell, which can execute JavaScript in the context of the admin interface without additional authentication beyond normal data management privileges [2][4].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the RailsAdmin session, potentially leading to data exfiltration, session hijacking, or administrative actions performed on behalf of the victim. The vulnerability is classified as medium severity with a CVSS score of 6.1 [1].

Mitigation

Users should upgrade to RailsAdmin version 3.1.3 or 2.2.2 (to be released) which include the fix. The commit replaces the vulnerable title attribute rendering with properly escaped output [2][4]. No workarounds are provided for unpatched versions.

References
  1. NVD - CVE-2024-39308
  2. ruby-advisory-db/gems/rails_admin/CVE-2024-39308.yml at master · rubysec/ruby-advisory-db
  3. GitHub - railsadminteam/rails_admin: RailsAdmin is a Rails engine that provides an easy-to-use interface for managing your data
  4. Fix XSS vulnerability in the list view · railsadminteam/rails_admin@b5a287d

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
rails_adminRubyGems
>= 3.0.0.beta, < 3.1.33.1.3

Affected products

2
  • ghsa-coords
    pkg:gem/rails_admin
    Range: >= 3.0.0.beta, < 3.1.3
  • railsadminteam/rails_adminv5
    Range: >= 3.0.0, < 3.1.3

Patches

6
8a3ab57aa782
https://github.com/railsadminteam/rails_adminvia osv
commit
44e76439e2fb
https://github.com/railsadminteam/rails_adminvia osv
commit
44e76439e2fb
https://github.com/sferik/rails_adminvia osv
commit
8a3ab57aa782
https://github.com/sferik/rails_adminvia osv
commit
b5a287d82e2c

Fix XSS vulnerability in the list view

https://github.com/railsadminteam/rails_adminMitsuhiro ShibuyaJul 6, 2024via ghsa
commit
3 files changed · +14 2
  • app/views/rails_admin/main/index.html.erb+1 1 modified
    @@ -133,7 +133,7 @@
               <% end %>
               <% properties.map{ |property| property.bind(:object, object) }.each do |property| %>
                 <% value = property.pretty_value %>
-                <td class="<%= [property.sticky? && 'sticky', property.css_class, property.type_css_class].select(&:present?).join(' ') %>" title="<%= strip_tags(value.to_s) %>">
+                <td class="<%= [property.sticky? && 'sticky', property.css_class, property.type_css_class].select(&:present?).join(' ') %>" title="<%= value %>">
                   <%= value %>
                 </td>
               <% end %>
  • .rubocop_todo.yml+1 1 modified
    @@ -21,7 +21,7 @@ Lint/ReturnInVoidContext:
 # Configuration parameters: CountComments, CountAsOne, ExcludedMethods, IgnoredMethods.
 # IgnoredMethods: refine
 Metrics/BlockLength:
-  Max: 1097
+  Max: 1107
 
 # Offense count: 1
 # Configuration parameters: Max, CountKeywordArgs.
  • spec/integration/actions/index_spec.rb+12 0 modified
    @@ -674,6 +674,18 @@
       visit index_path(model_name: 'team')
       expect(find('tbody tr:nth-child(1) td:nth-child(4)')).to have_content(@players.sort_by(&:id).collect(&:name).join(', '))
     end
+
+    it 'does not allow XSS for title attribute' do
+      RailsAdmin.config Team do
+        list do
+          field :name
+        end
+      end
+      @team = FactoryBot.create :team, name: '" onclick="alert()" "'
+      visit index_path(model_name: 'team')
+      expect(find('tbody tr:nth-child(1) td:nth-child(2)')['onclick']).to be_nil
+      expect(find('tbody tr:nth-child(1) td:nth-child(2)')['title']).to eq '" onclick="alert()" "'
+    end
   end
 
   context 'when no record exists' do
d84b39884059

Fix XSS vulnerability in the list view

https://github.com/railsadminteam/rails_adminMitsuhiro ShibuyaJul 6, 2024via ghsa
commit
2 files changed · +13 1
  • app/views/rails_admin/main/index.html.haml+1 1 modified
    @@ -103,7 +103,7 @@
               %td.other.left= link_to "...", @other_left_link, class: 'pjax'
             - properties.map{ |property| property.bind(:object, object) }.each do |property|
               - value = property.pretty_value
-              %td{class: "#{property.css_class} #{property.type_css_class}", title: strip_tags(value.to_s)}= value
+              %td{class: "#{property.css_class} #{property.type_css_class}", title: value}= value
             - if @other_right_link ||= other_right && index_path(params.merge(set: (params[:set].to_i + 1)))
               %td.other.right= link_to "...", @other_right_link, class: 'pjax'
             - unless frozen_columns
  • spec/integration/actions/index_spec.rb+12 0 modified
    @@ -654,6 +654,18 @@
       visit index_path(model_name: 'team')
       expect(find('tbody tr:nth-child(1) td:nth-child(4)')).to have_content(@players.sort_by(&:id).collect(&:name).join(', '))
     end
+
+    it 'does not allow XSS for title attribute' do
+      RailsAdmin.config Team do
+        list do
+          field :name
+        end
+      end
+      @team = FactoryBot.create :team, name: '" onclick="alert()" "'
+      visit index_path(model_name: 'team')
+      expect(find('tbody tr:nth-child(1) td:nth-child(2)')['onclick']).to be_nil
+      expect(find('tbody tr:nth-child(1) td:nth-child(2)')['title']).to eq '" onclick="alert()" "'
+    end
   end
 
   context 'without pagination' do

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

9

News mentions

0

No linked articles in our index yet.