VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-8pe7-mz33-t7a9

Essentials
Severities (24)
References (9)
Severity details (20)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-8pe7-mz33-t7a9
Aliases	CVE-2024-32463 GHSA-g7xq-xv8c-h98c
Summary	phlex is an open source framework for building object-oriented views in Ruby. There is a potential cross-site scripting (XSS) vulnerability that can be exploited via maliciously crafted user data. The filter to detect and prevent the use of the `javascript:` URL scheme in the `href` attribute of an `<a>` tag could be bypassed with tab `\t` or newline `\n` characters between the characters of the protocol, e.g. `java\tscript:`. This vulnerability is fixed in 1.10.1, 1.9.2, 1.8.3, 1.7.2, 1.6.3, 1.5.3, and 1.4.2. Configuring a Content Security Policy that does not allow `unsafe-inline` would effectively prevent this vulnerability from being exploited.
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (4)

CWE-79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-87	Improper Neutralization of Alternate XSS Syntax
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
epss	0.00179	https://api.first.org/data/v1/epss?cve=CVE-2024-32463
epss	0.00179	https://api.first.org/data/v1/epss?cve=CVE-2024-32463
epss	0.00179	https://api.first.org/data/v1/epss?cve=CVE-2024-32463
cvssv3.1	7.1	https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
generic_textual	HIGH	https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
ssvc	Track	https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
cvssv3.1	7.1	https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#unsafe-inline
generic_textual	HIGH	https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#unsafe-inline
ssvc	Track	https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#unsafe-inline
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-g7xq-xv8c-h98c
cvssv3.1	7.1	https://github.com/phlex-ruby/phlex
generic_textual	HIGH	https://github.com/phlex-ruby/phlex
cvssv3.1	7.1	https://github.com/phlex-ruby/phlex/commit/9e3f5b980655817993682e409cbda72956d865cb
generic_textual	HIGH	https://github.com/phlex-ruby/phlex/commit/9e3f5b980655817993682e409cbda72956d865cb
ssvc	Track	https://github.com/phlex-ruby/phlex/commit/9e3f5b980655817993682e409cbda72956d865cb
cvssv3	7.1	https://github.com/phlex-ruby/phlex/security/advisories/GHSA-g7xq-xv8c-h98c
cvssv3.1	7.1	https://github.com/phlex-ruby/phlex/security/advisories/GHSA-g7xq-xv8c-h98c
cvssv3.1_qr	HIGH	https://github.com/phlex-ruby/phlex/security/advisories/GHSA-g7xq-xv8c-h98c
generic_textual	HIGH	https://github.com/phlex-ruby/phlex/security/advisories/GHSA-g7xq-xv8c-h98c
ssvc	Track	https://github.com/phlex-ruby/phlex/security/advisories/GHSA-g7xq-xv8c-h98c
cvssv3.1	7.1	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/phlex/CVE-2024-32463.yml
generic_textual	HIGH	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/phlex/CVE-2024-32463.yml
cvssv3.1	7.1	https://nvd.nist.gov/vuln/detail/CVE-2024-32463
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2024-32463

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2024-32463
		https://github.com/phlex-ruby/phlex
9e3f5b980655817993682e409cbda72956d865cb		https://github.com/phlex-ruby/phlex/commit/9e3f5b980655817993682e409cbda72956d865cb
Content-Security-Policy		https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
Content-Security-Policy#unsafe-inline		https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#unsafe-inline
CVE-2024-32463		https://nvd.nist.gov/vuln/detail/CVE-2024-32463
CVE-2024-32463.YML		https://github.com/rubysec/ruby-advisory-db/blob/master/gems/phlex/CVE-2024-32463.yml
GHSA-g7xq-xv8c-h98c		https://github.com/advisories/GHSA-g7xq-xv8c-h98c
GHSA-g7xq-xv8c-h98c		https://github.com/phlex-ruby/phlex/security/advisories/GHSA-g7xq-xv8c-h98c

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N Found at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-23T18:58:58Z/ Found at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N Found at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#unsafe-inline

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-23T18:58:58Z/ Found at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#unsafe-inline

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N Found at https://github.com/phlex-ruby/phlex

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N Found at https://github.com/phlex-ruby/phlex/commit/9e3f5b980655817993682e409cbda72956d865cb

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-23T18:58:58Z/ Found at https://github.com/phlex-ruby/phlex/commit/9e3f5b980655817993682e409cbda72956d865cb

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N Found at https://github.com/phlex-ruby/phlex/security/advisories/GHSA-g7xq-xv8c-h98c

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-23T18:58:58Z/ Found at https://github.com/phlex-ruby/phlex/security/advisories/GHSA-g7xq-xv8c-h98c

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N Found at https://github.com/rubysec/ruby-advisory-db/blob/master/gems/phlex/CVE-2024-32463.yml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2024-32463

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.39333
EPSS Score	0.00179
Published At	June 11, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-10T18:41:56.263358+00:00	Vulnrichment	Import	https://github.com/cisagov/vulnrichment/blob/develop/2024/32xxx/CVE-2024-32463.json	38.6.0