Publify Vulnerable To Cross-Site Scripting (XSS) Via Redirects Requiring User Interaction
Description
Publify is a self hosted Web publishing platform on Rails. Prior to version 10.0.1 of Publify, corresponding to versions prior to 10.0.2 of the publify_core rubygem, publisher on a publify application is able to perform a cross-site scripting (XSS) attack on an administrator using the redirect functionality. The exploitation of this XSS vulnerability requires the administrator to click a malicious link. An attack could attempt to hide their payload by using HTML, or other encodings, as to not make it obvious to an administrator that this is a malicious link. A publisher may attempt to use this vulnerability to escalate their privileges and become an administrator. Version 10.0.1 of Publify and version 10.0.2 of the publify_core rubygem fix the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
publify_coreRubyGems | < 10.0.2 | 10.0.2 |
Affected products
2- Range: < 10.0.1
Patches
Vulnerability mechanics
References
3- github.com/advisories/GHSA-8fm5-gg2f-f66qghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-39311ghsaADVISORY
- github.com/publify/publify/security/advisories/GHSA-8fm5-gg2f-f66qghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.