CVE-2024-37031

HIGH7.2EPSS 0.23%

activeadmin vulnerable to stored persistent cross-site scripting (XSS) in dynamic form legends

Published: 6/2/2024Modified: 3/13/2026
Also known as:GHSA-9mg6-x45v-hcfm

Description

### Impact Users settings their active admin form legends dynamically may be vulnerable to stored XSS, as long as its value can be injected directly by a malicious user. For example: * A public web application allows users to create entities with arbitrary names. * Active Admin is used to administrate these entities through a private backend. * The form to edit these entities in the private backend has the following shape (note the dynamic `name` value dependent on an attribute of the `resource`): ```ruby form do |f| f.inputs name: resource.name do f.input :name f.input :description end f.actions end ``` Then a malicious user could create an entity with a payload that would get executed in the active admin administrator's browser. Both `form` blocks with an implicit or explicit name (i.e., both `form resource.name` or `form name: resource.name` would suffer from the problem), where the value of the name can be arbitrarily set by non admin users. ### Patches The problem has been fixed in ActiveAdmin 3.2.2 and ActiveAdmin 4.0.0.beta7. ### Workarounds Users can workaround this problem without upgrading by explicitly escaping the form name using an HTML escaping utility. For example: ```ruby form do |f| f.inputs name: ERB::Util.html_escape(resource.name) do f.input :name f.input :description end f.actions end ``` Upgrading is of course recommended though. ### References https://owasp.org/www-community/attacks/xss/#stored-xss-attacks

Affected packages (1)

CVSS scores

SourceVersionSeverityVector
osvCVSS 3.1HIGH7.2CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

References (7)