VulnerableCode Package Details - pkg:gem/phlex@1.9.2

Search for packages

Vulnerability	Summary	Fixed by
VCID-85dg-y8nr-n3b9 Aliases: GHSA-w67g-2h6v-vjgq	Phlex XSS protection bypass via attribute splatting, dynamic tags, and href values During a security audit conducted with Claude Opus 4.6 and GPT-5.3-Codex, we identified three specific ways to bypass the XSS (cross-site-scripting) protection built into Phlex. 1. The first bypass could happen if user-provided attributes with string keys were splatted into HTML tag, e.g. `div(**user_attributes)`. 2. The second bypass could happen if user-provided tag names were passed to the `tag` method, e.g. `tag(some_tag_name_from_user)`. 3. The third bypass could happen if user’s links were passed to `href` attributes, e.g. `a(href: user_provided_link)`. All three of these patterns are meant to be safe and all have now been patched.	1.11.1 Affected by 0 other vulnerabilities. 2.0.2 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 2.1.3 Affected by 0 other vulnerabilities. 2.2.2 Affected by 0 other vulnerabilities. 2.3.2 Affected by 0 other vulnerabilities. 2.4.0.beta1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 2.4.1 Affected by 0 other vulnerabilities.
VCID-rnfm-q1jm-jyf2 Aliases: CVE-2024-32970 GHSA-9p57-h987-4vgx		1.9.3 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 1.10.2 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-85dg-y8nr-n3b9
Aliases:
GHSA-w67g-2h6v-vjgq

Phlex XSS protection bypass via attribute splatting, dynamic tags, and href values During a security audit conducted with Claude Opus 4.6 and GPT-5.3-Codex, we identified three specific ways to bypass the XSS (cross-site-scripting) protection built into Phlex. 1. The first bypass could happen if user-provided attributes with string keys were splatted into HTML tag, e.g. `div(**user_attributes)`. 2. The second bypass could happen if user-provided tag names were passed to the `tag` method, e.g. `tag(some_tag_name_from_user)`. 3. The third bypass could happen if user’s links were passed to `href` attributes, e.g. `a(href: user_provided_link)`. All three of these patterns are meant to be safe and all have now been patched.

1.11.1
Affected by 0 other vulnerabilities.

2.0.2
Affected by 1 other vulnerability.

2.1.3
Affected by 0 other vulnerabilities.

2.2.2
Affected by 0 other vulnerabilities.

2.3.2
Affected by 0 other vulnerabilities.

2.4.0.beta1
Affected by 1 other vulnerability.

2.4.1
Affected by 0 other vulnerabilities.

VCID-rnfm-q1jm-jyf2
Aliases:
CVE-2024-32970
GHSA-9p57-h987-4vgx

1.9.3
Affected by 2 other vulnerabilities.

1.10.2
Affected by 2 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-chd9-zt4b-3fey	Cross-site Scripting (XSS) possible due to improper sanitisation of `href` attributes on `<a>` tags There is a potential cross-site scripting (XSS) vulnerability that can be exploited via maliciously crafted user data. Our filter to detect and prevent the use of the `javascript:` URL scheme in the `href` attribute of an `<a>` tag could be bypassed with tab `\t` or newline `\n` characters between the characters of the protocol, e.g. `java\tscript:`.	CVE-2024-32463 GHSA-g7xq-xv8c-h98c

Vulnerability

Summary

Aliases

VCID-chd9-zt4b-3fey

Cross-site Scripting (XSS) possible due to improper sanitisation of `href` attributes on `<a>` tags There is a potential cross-site scripting (XSS) vulnerability that can be exploited via maliciously crafted user data. Our filter to detect and prevent the use of the `javascript:` URL scheme in the `href` attribute of an `<a>` tag could be bypassed with tab `\t` or newline `\n` characters between the characters of the protocol, e.g. `java\tscript:`.

CVE-2024-32463
GHSA-g7xq-xv8c-h98c

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-05-31T10:45:59.924476+00:00	GithubOSV Importer	Fixing	VCID-chd9-zt4b-3fey	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-g7xq-xv8c-h98c/GHSA-g7xq-xv8c-h98c.json	38.6.0
2026-05-31T10:20:43.648618+00:00	Ruby Importer	Affected by	VCID-85dg-y8nr-n3b9	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/phlex/GHSA-w67g-2h6v-vjgq.yml	38.6.0
2026-05-31T10:19:34.067473+00:00	Ruby Importer	Affected by	VCID-rnfm-q1jm-jyf2	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/phlex/CVE-2024-32970.yml	38.6.0
2026-05-31T01:02:47.735680+00:00	GHSA Importer	Fixing	VCID-chd9-zt4b-3fey	https://github.com/advisories/GHSA-g7xq-xv8c-h98c	38.6.0
2026-05-30T21:03:53.637789+00:00	GitLab Importer	Fixing	VCID-chd9-zt4b-3fey	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/phlex/CVE-2024-32463.yml	38.6.0