prosemirror_to_html, Cross-Site Scripting, CVE-2024-23632 (Critical)

By /

Listen to this Post

The CVE-2024-23632 vulnerability exists because the `prosemirror_to_html` Ruby gem, when converting a ProseMirror document structure to an HTML string, only applied HTML escaping to the text content within HTML tags. It did not apply any escaping to the values of HTML attributes. This allows an attacker to craft a ProseMirror document node, such as a link or image, with maliciously crafted attribute values. When this document is converted to HTML and then rendered in a victim’s browser, the unescaped attribute values break out of the attribute context and inject new HTML attributes or JavaScript event handlers. For example, a link node’s `href` attribute could be set to `javascript:alert(‘XSS’)` or an image node could include an `onerror` event handler. Since the conversion process does not sanitize these values, the resulting HTML output contains the raw, malicious payload, leading to Cross-Site Scripting (XSS) where arbitrary JavaScript provided by the attacker is executed in the context of the end-user’s session.

DailyCVE Form:

Platform: RubyGem
Version: <0.2.1
Vulnerability: XSS
Severity: Critical
date: 2024-01-XX

Prediction: Patch 2024-02-15

What Undercode Say:

`curl -s “https://rubygems.org/api/v1/versions/prosemirror_to_html.json” | jq ‘.[bash]’`

`bundle show prosemirror_to_html`

`grep -r “prosemirror_to_html” Gemfile.lock`

`CGI.escapeHTML(value)`

How Exploit:

```

`

Test

`

Protection from this CVE:

Upgrade to v0.2.1+

Sanitize output HTML

Implement strict CSP

Impact:

Arbitrary JavaScript Execution

Session Hijacking

Client-Side Attacks

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top