VulnerableCode Package Details - pkg:gem/phlex@1.10.2

Search for packages

Vulnerability	Summary	Fixed by
VCID-85dg-y8nr-n3b9 Aliases: GHSA-w67g-2h6v-vjgq	Phlex XSS protection bypass via attribute splatting, dynamic tags, and href values During a security audit conducted with Claude Opus 4.6 and GPT-5.3-Codex, we identified three specific ways to bypass the XSS (cross-site-scripting) protection built into Phlex. 1. The first bypass could happen if user-provided attributes with string keys were splatted into HTML tag, e.g. `div(**user_attributes)`. 2. The second bypass could happen if user-provided tag names were passed to the `tag` method, e.g. `tag(some_tag_name_from_user)`. 3. The third bypass could happen if user’s links were passed to `href` attributes, e.g. `a(href: user_provided_link)`. All three of these patterns are meant to be safe and all have now been patched.	1.11.1 Affected by 0 other vulnerabilities. 2.0.2 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 2.1.3 Affected by 0 other vulnerabilities. 2.2.2 Affected by 0 other vulnerabilities. 2.3.2 Affected by 0 other vulnerabilities. 2.4.0.beta1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 2.4.1 Affected by 0 other vulnerabilities.
VCID-rnfm-q1jm-jyf2 Aliases: CVE-2024-32970 GHSA-9p57-h987-4vgx		There are no reported fixed by versions.

Vulnerability

Summary

Fixed by

VCID-85dg-y8nr-n3b9
Aliases:
GHSA-w67g-2h6v-vjgq

Phlex XSS protection bypass via attribute splatting, dynamic tags, and href values During a security audit conducted with Claude Opus 4.6 and GPT-5.3-Codex, we identified three specific ways to bypass the XSS (cross-site-scripting) protection built into Phlex. 1. The first bypass could happen if user-provided attributes with string keys were splatted into HTML tag, e.g. `div(**user_attributes)`. 2. The second bypass could happen if user-provided tag names were passed to the `tag` method, e.g. `tag(some_tag_name_from_user)`. 3. The third bypass could happen if user’s links were passed to `href` attributes, e.g. `a(href: user_provided_link)`. All three of these patterns are meant to be safe and all have now been patched.

1.11.1
Affected by 0 other vulnerabilities.

2.0.2
Affected by 1 other vulnerability.

2.1.3
Affected by 0 other vulnerabilities.

2.2.2
Affected by 0 other vulnerabilities.

2.3.2
Affected by 0 other vulnerabilities.

2.4.0.beta1
Affected by 1 other vulnerability.

2.4.1
Affected by 0 other vulnerabilities.

VCID-rnfm-q1jm-jyf2
Aliases:
CVE-2024-32970
GHSA-9p57-h987-4vgx

There are no reported fixed by versions.

Vulnerability	Summary	Aliases
VCID-rnfm-q1jm-jyf2		CVE-2024-32970 GHSA-9p57-h987-4vgx

Vulnerability

Summary

Aliases

VCID-rnfm-q1jm-jyf2

CVE-2024-32970
GHSA-9p57-h987-4vgx

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-01T09:35:11.109505+00:00	GitLab Importer	Affected by	VCID-85dg-y8nr-n3b9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/phlex/GHSA-w67g-2h6v-vjgq.yml	38.6.0
2026-05-31T19:18:21.191895+00:00	GitLab Importer	Fixing	VCID-rnfm-q1jm-jyf2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/phlex/CVE-2024-32970.yml	38.6.0
2026-05-31T10:50:15.861309+00:00	GithubOSV Importer	Fixing	VCID-rnfm-q1jm-jyf2	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-9p57-h987-4vgx/GHSA-9p57-h987-4vgx.json	38.6.0
2026-05-31T10:20:43.654545+00:00	Ruby Importer	Affected by	VCID-85dg-y8nr-n3b9	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/phlex/GHSA-w67g-2h6v-vjgq.yml	38.6.0
2026-05-31T10:19:34.138428+00:00	Ruby Importer	Fixing	VCID-rnfm-q1jm-jyf2	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/phlex/CVE-2024-32970.yml	38.6.0
2026-05-31T10:19:34.074982+00:00	Ruby Importer	Affected by	VCID-rnfm-q1jm-jyf2	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/phlex/CVE-2024-32970.yml	38.6.0
2026-05-31T01:02:58.094026+00:00	GHSA Importer	Fixing	VCID-rnfm-q1jm-jyf2	https://github.com/advisories/GHSA-9p57-h987-4vgx	38.6.0