VDB
KO
HIGH 7.2

GHSA-9mg6-x45v-hcfm

activeadmin vulnerable to stored persistent cross-site scripting (XSS) in dynamic form legends

Details

### Impact

Users settings their active admin form legends dynamically may be vulnerable to stored XSS, as long as its value can be injected directly by a malicious user.

For example:

* A public web application allows users to create entities with arbitrary names. * Active Admin is used to administrate these entities through a private backend. * The form to edit these entities in the private backend has the following shape (note the dynamic `name` value dependent on an attribute of the `resource`):

```ruby form do |f| f.inputs name: resource.name do f.input :name f.input :description end

f.actions end ```

Then a malicious user could create an entity with a payload that would get executed in the active admin administrator's browser.

Both `form` blocks with an implicit or explicit name (i.e., both `form resource.name` or `form name: resource.name` would suffer from the problem), where the value of the name can be arbitrarily set by non admin users.

### Patches

The problem has been fixed in ActiveAdmin 3.2.2 and ActiveAdmin 4.0.0.beta7.

### Workarounds

Users can workaround this problem without upgrading by explicitly escaping the form name using an HTML escaping utility. For example:

```ruby form do |f| f.inputs name: ERB::Util.html_escape(resource.name) do f.input :name f.input :description end

f.actions end ``` Upgrading is of course recommended though.

### References https://owasp.org/www-community/attacks/xss/#stored-xss-attacks

Are you affected?

Enter the version of the package you're using.

Affected packages

RubyGems / activeadmin
Introduced in: 0 Fixed in: 3.2.2
Fix bundle update activeadmin
RubyGems / activeadmin
Introduced in: 4.0.0.beta1 Fixed in: 4.0.0.beta7
Fix bundle update activeadmin

References