Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:gem/phlex@1.5.2
Typegem
Namespace
Namephlex
Version1.5.2
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version1.11.1
Latest_non_vulnerable_version2.4.1
Affected_by_vulnerabilities
0
url VCID-85dg-y8nr-n3b9
vulnerability_id VCID-85dg-y8nr-n3b9
summary 
Phlex XSS protection bypass via attribute splatting, dynamic tags, and href values
During a security audit conducted with Claude Opus 4.6 and GPT-5.3-Codex, we identified three specific ways to bypass the XSS (cross-site-scripting) protection built into Phlex.

1. The first bypass could happen if user-provided attributes with string keys were splatted into HTML tag, e.g. `div(**user_attributes)`.
2. The second bypass could happen if user-provided tag names were passed to the `tag` method, e.g. `tag(some_tag_name_from_user)`.
3. The third bypass could happen if user’s links were passed to `href` attributes, e.g. `a(href: user_provided_link)`.

All three of these patterns are meant to be safe and all have now been patched.
references
0
reference_url https://github.com/yippee-fun/phlex
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/yippee-fun/phlex
1
reference_url https://github.com/yippee-fun/phlex/commit/1d85da417cb15eb8cb2f54a68d531c9b35d9d03a
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/yippee-fun/phlex/commit/1d85da417cb15eb8cb2f54a68d531c9b35d9d03a
2
reference_url https://github.com/yippee-fun/phlex/commit/556441d5a64ff93f749e8116a05b2d97264468ee
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/yippee-fun/phlex/commit/556441d5a64ff93f749e8116a05b2d97264468ee
3
reference_url https://github.com/yippee-fun/phlex/commit/74e3d8610ffabc2cf5f241945e9df4b14dceb97d
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/yippee-fun/phlex/commit/74e3d8610ffabc2cf5f241945e9df4b14dceb97d
4
reference_url https://github.com/yippee-fun/phlex/commit/9f56ad13bea9a7d6117fdfd510446c890709eeac
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/yippee-fun/phlex/commit/9f56ad13bea9a7d6117fdfd510446c890709eeac
5
reference_url https://github.com/yippee-fun/phlex/commit/fe9ea708672f9fa42526d9b47e1cdc4634860ef1
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/yippee-fun/phlex/commit/fe9ea708672f9fa42526d9b47e1cdc4634860ef1
6
reference_url https://github.com/advisories/GHSA-w67g-2h6v-vjgq
reference_id GHSA-w67g-2h6v-vjgq
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-w67g-2h6v-vjgq
7
reference_url https://github.com/yippee-fun/phlex/security/advisories/GHSA-w67g-2h6v-vjgq
reference_id GHSA-w67g-2h6v-vjgq
reference_type
scores
0
value 7.1
scoring_system cvssv3
scoring_elements
1
value 7.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
2
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
3
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/yippee-fun/phlex/security/advisories/GHSA-w67g-2h6v-vjgq
fixed_packages
0
url pkg:gem/phlex@1.11.1
purl pkg:gem/phlex@1.11.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/phlex@1.11.1
1
url pkg:gem/phlex@2.0.2
purl pkg:gem/phlex@2.0.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-85dg-y8nr-n3b9
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/phlex@2.0.2
2
url pkg:gem/phlex@2.1.3
purl pkg:gem/phlex@2.1.3
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/phlex@2.1.3
3
url pkg:gem/phlex@2.2.2
purl pkg:gem/phlex@2.2.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/phlex@2.2.2
4
url pkg:gem/phlex@2.3.2
purl pkg:gem/phlex@2.3.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/phlex@2.3.2
5
url pkg:gem/phlex@2.4.0.beta1
purl pkg:gem/phlex@2.4.0.beta1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-85dg-y8nr-n3b9
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/phlex@2.4.0.beta1
6
url pkg:gem/phlex@2.4.1
purl pkg:gem/phlex@2.4.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/phlex@2.4.1
aliases GHSA-w67g-2h6v-vjgq
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-85dg-y8nr-n3b9
1
url VCID-chd9-zt4b-3fey
vulnerability_id VCID-chd9-zt4b-3fey
summary 
Cross-site Scripting (XSS) possible due to improper sanitisation of `href` attributes on `<a>` tags
There is a potential cross-site scripting (XSS) vulnerability that can be exploited via maliciously crafted user data.

Our filter to detect and prevent the use of the `javascript:` URL scheme in the `href` attribute of an `<a>` tag could be bypassed with tab `\t` or newline `\n` characters between the characters of the protocol, e.g. `java\tscript:`.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-32463
reference_id
reference_type
scores
0
value 0.00179
scoring_system epss
scoring_elements 0.3925
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-32463
1
reference_url https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-23T18:58:58Z/
url https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
2
reference_url https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#unsafe-inline
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-23T18:58:58Z/
url https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#unsafe-inline
3
reference_url https://github.com/phlex-ruby/phlex
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/phlex-ruby/phlex
4
reference_url https://github.com/phlex-ruby/phlex/commit/9e3f5b980655817993682e409cbda72956d865cb
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-23T18:58:58Z/
url https://github.com/phlex-ruby/phlex/commit/9e3f5b980655817993682e409cbda72956d865cb
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-32463
reference_id CVE-2024-32463
reference_type
scores
0
value 7.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-32463
6
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/phlex/CVE-2024-32463.yml
reference_id CVE-2024-32463.YML
reference_type
scores
0
value 7.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/phlex/CVE-2024-32463.yml
7
reference_url https://github.com/advisories/GHSA-g7xq-xv8c-h98c
reference_id GHSA-g7xq-xv8c-h98c
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-g7xq-xv8c-h98c
8
reference_url https://github.com/phlex-ruby/phlex/security/advisories/GHSA-g7xq-xv8c-h98c
reference_id GHSA-g7xq-xv8c-h98c
reference_type
scores
0
value 7.1
scoring_system cvssv3
scoring_elements
1
value 7.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
2
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-23T18:58:58Z/
url https://github.com/phlex-ruby/phlex/security/advisories/GHSA-g7xq-xv8c-h98c
fixed_packages
0
url pkg:gem/phlex@1.5.3
purl pkg:gem/phlex@1.5.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-85dg-y8nr-n3b9
1
vulnerability VCID-rnfm-q1jm-jyf2
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/phlex@1.5.3
1
url pkg:gem/phlex@1.6.3
purl pkg:gem/phlex@1.6.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-85dg-y8nr-n3b9
1
vulnerability VCID-rnfm-q1jm-jyf2
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/phlex@1.6.3
2
url pkg:gem/phlex@1.7.2
purl pkg:gem/phlex@1.7.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-85dg-y8nr-n3b9
1
vulnerability VCID-rnfm-q1jm-jyf2
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/phlex@1.7.2
3
url pkg:gem/phlex@1.8.3
purl pkg:gem/phlex@1.8.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-85dg-y8nr-n3b9
1
vulnerability VCID-rnfm-q1jm-jyf2
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/phlex@1.8.3
4
url pkg:gem/phlex@1.9.2
purl pkg:gem/phlex@1.9.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-85dg-y8nr-n3b9
1
vulnerability VCID-rnfm-q1jm-jyf2
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/phlex@1.9.2
5
url pkg:gem/phlex@1.10.1
purl pkg:gem/phlex@1.10.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-85dg-y8nr-n3b9
1
vulnerability VCID-rnfm-q1jm-jyf2
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/phlex@1.10.1
aliases CVE-2024-32463, GHSA-g7xq-xv8c-h98c
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-chd9-zt4b-3fey
2
url VCID-ec9a-dkz3-ebat
vulnerability_id VCID-ec9a-dkz3-ebat
summary 
Cross-site Scripting (XSS) possible with maliciously formed HTML attribute names and values in Phlex
There is a potential cross-site scripting (XSS) vulnerability that can be exploited via maliciously crafted user data. This was due to improper case-sensitivity in the code that was meant to prevent these attacks.

### Impact

If you render an `<a>` tag with an `href` attribute set to a user-provided link, that link could potentially execute JavaScript when clicked by another user.

```ruby
a(href: user_profile) { "Profile" }
```

If you splat user-provided attributes when rendering any HTML or SVG tag, malicious event attributes could be included in the output, executing JavaScript when the events are triggered by another user.

```ruby
h1(**JSON.parse(user_attributes))
```

### Patches
Patches are [available on RubyGems](https://rubygems.org/gems/phlex) for all `1.x` minor versions. The patched versions are:

- [1.9.1](https://rubygems.org/gems/phlex/versions/1.9.1)
- [1.8.2](https://rubygems.org/gems/phlex/versions/1.8.2)
- [1.7.1](https://rubygems.org/gems/phlex/versions/1.7.1)
- [1.6.2](https://rubygems.org/gems/phlex/versions/1.6.2)
- [1.5.2](https://rubygems.org/gems/phlex/versions/1.5.2)
- [1.4.1](https://rubygems.org/gems/phlex/versions/1.4.1)
- [1.3.3](https://rubygems.org/gems/phlex/versions/1.3.3)
- [1.2.2](https://rubygems.org/gems/phlex/versions/1.2.2)
- [1.1.1](https://rubygems.org/gems/phlex/versions/1.1.1)
- [1.0.1](https://rubygems.org/gems/phlex/versions/1.0.1)

If you are on `main`, it has been patched since [`aa50c60`](https://github.com/phlex-ruby/phlex/commit/aa50c604cdee1d0ce7ef068a4c66cbd5d43f96a1)

### Workarounds
Configuring a [Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy) that does not allow [`unsafe-inline`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#unsafe-inline) would effectively prevent this vulnerability from being exploited.

### References

In addition to upgrading to a patched version of Phlex, we strongly recommend configuring a Content Security Policy header that does not allow `unsafe-inline`. Here’s how you can configure a Content Security Policy header in Rails. https://guides.rubyonrails.org/security.html#content-security-policy-header
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-28199
reference_id
reference_type
scores
0
value 0.01541
scoring_system epss
scoring_elements 0.81676
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-28199
1
reference_url https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-03-12T15:49:25Z/
url https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
2
reference_url https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#unsafe-inline
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-03-12T15:49:25Z/
url https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#unsafe-inline
3
reference_url https://github.com/phlex-ruby/phlex
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/phlex-ruby/phlex
4
reference_url https://github.com/phlex-ruby/phlex/commit/aa50c604cdee1d0ce7ef068a4c66cbd5d43f96a1
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-03-12T15:49:25Z/
url https://github.com/phlex-ruby/phlex/commit/aa50c604cdee1d0ce7ef068a4c66cbd5d43f96a1
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-28199
reference_id CVE-2024-28199
reference_type
scores
0
value 7.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-28199
6
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/phlex/CVE-2024-28199.yml
reference_id CVE-2024-28199.YML
reference_type
scores
0
value 7.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/phlex/CVE-2024-28199.yml
7
reference_url https://github.com/advisories/GHSA-242p-4v39-2v8g
reference_id GHSA-242p-4v39-2v8g
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-242p-4v39-2v8g
8
reference_url https://github.com/phlex-ruby/phlex/security/advisories/GHSA-242p-4v39-2v8g
reference_id GHSA-242p-4v39-2v8g
reference_type
scores
0
value 7.1
scoring_system cvssv3
scoring_elements
1
value 7.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
2
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-03-12T15:49:25Z/
url https://github.com/phlex-ruby/phlex/security/advisories/GHSA-242p-4v39-2v8g
fixed_packages
0
url pkg:gem/phlex@1.6.2
purl pkg:gem/phlex@1.6.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-85dg-y8nr-n3b9
1
vulnerability VCID-chd9-zt4b-3fey
2
vulnerability VCID-ec9a-dkz3-ebat
3
vulnerability VCID-rnfm-q1jm-jyf2
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/phlex@1.6.2
1
url pkg:gem/phlex@1.7.1
purl pkg:gem/phlex@1.7.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-85dg-y8nr-n3b9
1
vulnerability VCID-chd9-zt4b-3fey
2
vulnerability VCID-ec9a-dkz3-ebat
3
vulnerability VCID-rnfm-q1jm-jyf2
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/phlex@1.7.1
2
url pkg:gem/phlex@1.8.2
purl pkg:gem/phlex@1.8.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-85dg-y8nr-n3b9
1
vulnerability VCID-chd9-zt4b-3fey
2
vulnerability VCID-ec9a-dkz3-ebat
3
vulnerability VCID-rnfm-q1jm-jyf2
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/phlex@1.8.2
3
url pkg:gem/phlex@1.9.1
purl pkg:gem/phlex@1.9.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-85dg-y8nr-n3b9
1
vulnerability VCID-chd9-zt4b-3fey
2
vulnerability VCID-ec9a-dkz3-ebat
3
vulnerability VCID-rnfm-q1jm-jyf2
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/phlex@1.9.1
aliases CVE-2024-28199, GHSA-242p-4v39-2v8g
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ec9a-dkz3-ebat
3
url VCID-rnfm-q1jm-jyf2
vulnerability_id VCID-rnfm-q1jm-jyf2
summary
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-32970
reference_id
reference_type
scores
0
value 0.00283
scoring_system epss
scoring_elements 0.51923
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-32970
1
reference_url https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-18T15:29:00Z/
url https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
2
reference_url https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#unsafe-inline
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-18T15:29:00Z/
url https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#unsafe-inline
3
reference_url https://github.com/payloadbox/xss-payload-list
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-18T15:29:00Z/
url https://github.com/payloadbox/xss-payload-list
4
reference_url https://github.com/phlex-ruby/phlex
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/phlex-ruby/phlex
5
reference_url https://github.com/phlex-ruby/phlex/commit/da8f94342a84cff9d78c98bcc3b3604ee2e577d2
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-18T15:29:00Z/
url https://github.com/phlex-ruby/phlex/commit/da8f94342a84cff9d78c98bcc3b3604ee2e577d2
6
reference_url https://rubygems.org/gems/phlex
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-18T15:29:00Z/
url https://rubygems.org/gems/phlex
7
reference_url https://rubygems.org/gems/phlex/versions/1.10.2
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://rubygems.org/gems/phlex/versions/1.10.2
8
reference_url https://rubygems.org/gems/phlex/versions/1.9.3
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://rubygems.org/gems/phlex/versions/1.9.3
9
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-32970
reference_id CVE-2024-32970
reference_type
scores
0
value 7.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-32970
10
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/phlex/CVE-2024-32970.yml
reference_id CVE-2024-32970.YML
reference_type
scores
0
value 7.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/phlex/CVE-2024-32970.yml
11
reference_url https://github.com/advisories/GHSA-9p57-h987-4vgx
reference_id GHSA-9p57-h987-4vgx
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-9p57-h987-4vgx
12
reference_url https://github.com/phlex-ruby/phlex/security/advisories/GHSA-9p57-h987-4vgx
reference_id GHSA-9p57-h987-4vgx
reference_type
scores
0
value 7.1
scoring_system cvssv3
scoring_elements
1
value 7.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
2
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-18T15:29:00Z/
url https://github.com/phlex-ruby/phlex/security/advisories/GHSA-9p57-h987-4vgx
fixed_packages
0
url pkg:gem/phlex@1.9.3
purl pkg:gem/phlex@1.9.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-85dg-y8nr-n3b9
1
vulnerability VCID-rnfm-q1jm-jyf2
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/phlex@1.9.3
1
url pkg:gem/phlex@1.10.2
purl pkg:gem/phlex@1.10.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-85dg-y8nr-n3b9
1
vulnerability VCID-rnfm-q1jm-jyf2
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/phlex@1.10.2
aliases CVE-2024-32970, GHSA-9p57-h987-4vgx
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-rnfm-q1jm-jyf2
Fixing_vulnerabilities
0
url VCID-ec9a-dkz3-ebat
vulnerability_id VCID-ec9a-dkz3-ebat
summary 
Cross-site Scripting (XSS) possible with maliciously formed HTML attribute names and values in Phlex
There is a potential cross-site scripting (XSS) vulnerability that can be exploited via maliciously crafted user data. This was due to improper case-sensitivity in the code that was meant to prevent these attacks.

### Impact

If you render an `<a>` tag with an `href` attribute set to a user-provided link, that link could potentially execute JavaScript when clicked by another user.

```ruby
a(href: user_profile) { "Profile" }
```

If you splat user-provided attributes when rendering any HTML or SVG tag, malicious event attributes could be included in the output, executing JavaScript when the events are triggered by another user.

```ruby
h1(**JSON.parse(user_attributes))
```

### Patches
Patches are [available on RubyGems](https://rubygems.org/gems/phlex) for all `1.x` minor versions. The patched versions are:

- [1.9.1](https://rubygems.org/gems/phlex/versions/1.9.1)
- [1.8.2](https://rubygems.org/gems/phlex/versions/1.8.2)
- [1.7.1](https://rubygems.org/gems/phlex/versions/1.7.1)
- [1.6.2](https://rubygems.org/gems/phlex/versions/1.6.2)
- [1.5.2](https://rubygems.org/gems/phlex/versions/1.5.2)
- [1.4.1](https://rubygems.org/gems/phlex/versions/1.4.1)
- [1.3.3](https://rubygems.org/gems/phlex/versions/1.3.3)
- [1.2.2](https://rubygems.org/gems/phlex/versions/1.2.2)
- [1.1.1](https://rubygems.org/gems/phlex/versions/1.1.1)
- [1.0.1](https://rubygems.org/gems/phlex/versions/1.0.1)

If you are on `main`, it has been patched since [`aa50c60`](https://github.com/phlex-ruby/phlex/commit/aa50c604cdee1d0ce7ef068a4c66cbd5d43f96a1)

### Workarounds
Configuring a [Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy) that does not allow [`unsafe-inline`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#unsafe-inline) would effectively prevent this vulnerability from being exploited.

### References

In addition to upgrading to a patched version of Phlex, we strongly recommend configuring a Content Security Policy header that does not allow `unsafe-inline`. Here’s how you can configure a Content Security Policy header in Rails. https://guides.rubyonrails.org/security.html#content-security-policy-header
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-28199
reference_id
reference_type
scores
0
value 0.01541
scoring_system epss
scoring_elements 0.81676
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-28199
1
reference_url https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-03-12T15:49:25Z/
url https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
2
reference_url https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#unsafe-inline
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-03-12T15:49:25Z/
url https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#unsafe-inline
3
reference_url https://github.com/phlex-ruby/phlex
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/phlex-ruby/phlex
4
reference_url https://github.com/phlex-ruby/phlex/commit/aa50c604cdee1d0ce7ef068a4c66cbd5d43f96a1
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-03-12T15:49:25Z/
url https://github.com/phlex-ruby/phlex/commit/aa50c604cdee1d0ce7ef068a4c66cbd5d43f96a1
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-28199
reference_id CVE-2024-28199
reference_type
scores
0
value 7.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-28199
6
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/phlex/CVE-2024-28199.yml
reference_id CVE-2024-28199.YML
reference_type
scores
0
value 7.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/phlex/CVE-2024-28199.yml
7
reference_url https://github.com/advisories/GHSA-242p-4v39-2v8g
reference_id GHSA-242p-4v39-2v8g
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-242p-4v39-2v8g
8
reference_url https://github.com/phlex-ruby/phlex/security/advisories/GHSA-242p-4v39-2v8g
reference_id GHSA-242p-4v39-2v8g
reference_type
scores
0
value 7.1
scoring_system cvssv3
scoring_elements
1
value 7.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
2
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-03-12T15:49:25Z/
url https://github.com/phlex-ruby/phlex/security/advisories/GHSA-242p-4v39-2v8g
fixed_packages
0
url pkg:gem/phlex@1.0.1
purl pkg:gem/phlex@1.0.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-85dg-y8nr-n3b9
1
vulnerability VCID-chd9-zt4b-3fey
2
vulnerability VCID-ec9a-dkz3-ebat
3
vulnerability VCID-rnfm-q1jm-jyf2
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/phlex@1.0.1
1
url pkg:gem/phlex@1.1.1
purl pkg:gem/phlex@1.1.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-85dg-y8nr-n3b9
1
vulnerability VCID-chd9-zt4b-3fey
2
vulnerability VCID-ec9a-dkz3-ebat
3
vulnerability VCID-rnfm-q1jm-jyf2
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/phlex@1.1.1
2
url pkg:gem/phlex@1.2.2
purl pkg:gem/phlex@1.2.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-85dg-y8nr-n3b9
1
vulnerability VCID-chd9-zt4b-3fey
2
vulnerability VCID-ec9a-dkz3-ebat
3
vulnerability VCID-rnfm-q1jm-jyf2
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/phlex@1.2.2
3
url pkg:gem/phlex@1.3.3
purl pkg:gem/phlex@1.3.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-85dg-y8nr-n3b9
1
vulnerability VCID-chd9-zt4b-3fey
2
vulnerability VCID-ec9a-dkz3-ebat
3
vulnerability VCID-rnfm-q1jm-jyf2
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/phlex@1.3.3
4
url pkg:gem/phlex@1.4.1
purl pkg:gem/phlex@1.4.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-85dg-y8nr-n3b9
1
vulnerability VCID-chd9-zt4b-3fey
2
vulnerability VCID-ec9a-dkz3-ebat
3
vulnerability VCID-rnfm-q1jm-jyf2
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/phlex@1.4.1
5
url pkg:gem/phlex@1.5.2
purl pkg:gem/phlex@1.5.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-85dg-y8nr-n3b9
1
vulnerability VCID-chd9-zt4b-3fey
2
vulnerability VCID-ec9a-dkz3-ebat
3
vulnerability VCID-rnfm-q1jm-jyf2
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/phlex@1.5.2
6
url pkg:gem/phlex@1.6.2
purl pkg:gem/phlex@1.6.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-85dg-y8nr-n3b9
1
vulnerability VCID-chd9-zt4b-3fey
2
vulnerability VCID-ec9a-dkz3-ebat
3
vulnerability VCID-rnfm-q1jm-jyf2
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/phlex@1.6.2
7
url pkg:gem/phlex@1.7.1
purl pkg:gem/phlex@1.7.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-85dg-y8nr-n3b9
1
vulnerability VCID-chd9-zt4b-3fey
2
vulnerability VCID-ec9a-dkz3-ebat
3
vulnerability VCID-rnfm-q1jm-jyf2
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/phlex@1.7.1
8
url pkg:gem/phlex@1.8.2
purl pkg:gem/phlex@1.8.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-85dg-y8nr-n3b9
1
vulnerability VCID-chd9-zt4b-3fey
2
vulnerability VCID-ec9a-dkz3-ebat
3
vulnerability VCID-rnfm-q1jm-jyf2
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/phlex@1.8.2
9
url pkg:gem/phlex@1.9.1
purl pkg:gem/phlex@1.9.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-85dg-y8nr-n3b9
1
vulnerability VCID-chd9-zt4b-3fey
2
vulnerability VCID-ec9a-dkz3-ebat
3
vulnerability VCID-rnfm-q1jm-jyf2
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/phlex@1.9.1
aliases CVE-2024-28199, GHSA-242p-4v39-2v8g
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ec9a-dkz3-ebat
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:gem/phlex@1.5.2