VDB
EN
HIGH 7.2

GHSA-9mg6-x45v-hcfm

activeadmin vulnerable to stored persistent cross-site scripting (XSS) in dynamic form legends

상세

### Impact

Users settings their active admin form legends dynamically may be vulnerable to stored XSS, as long as its value can be injected directly by a malicious user.

For example:

* A public web application allows users to create entities with arbitrary names. * Active Admin is used to administrate these entities through a private backend. * The form to edit these entities in the private backend has the following shape (note the dynamic `name` value dependent on an attribute of the `resource`):

```ruby form do |f| f.inputs name: resource.name do f.input :name f.input :description end

f.actions end ```

Then a malicious user could create an entity with a payload that would get executed in the active admin administrator's browser.

Both `form` blocks with an implicit or explicit name (i.e., both `form resource.name` or `form name: resource.name` would suffer from the problem), where the value of the name can be arbitrarily set by non admin users.

### Patches

The problem has been fixed in ActiveAdmin 3.2.2 and ActiveAdmin 4.0.0.beta7.

### Workarounds

Users can workaround this problem without upgrading by explicitly escaping the form name using an HTML escaping utility. For example:

```ruby form do |f| f.inputs name: ERB::Util.html_escape(resource.name) do f.input :name f.input :description end

f.actions end ``` Upgrading is of course recommended though.

### References https://owasp.org/www-community/attacks/xss/#stored-xss-attacks

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

RubyGems / activeadmin
최초 영향 버전: 0 수정 버전: 3.2.2
수정 bundle update activeadmin
RubyGems / activeadmin
최초 영향 버전: 4.0.0.beta1 수정 버전: 4.0.0.beta7
수정 bundle update activeadmin

참고