CVE-2024-37031 (activeadmin): activeadmin vulnerable to stored persistent cross-site scripting (XSS) in dynamic form legends

Ruby Security Advisory

### Impact

Users settings their active admin form legends dynamically may be
vulnerable to stored XSS, as long as its value can be injected
directly by a malicious user.

For example:

* A public web application allows users to create entities with
arbitrary names.
* Active Admin is used to administrate these entities through a
private backend.
* The form to edit these entities in the private backend has the
following shape (note the dynamic `name` value dependent on an
attribute of the `resource`):

“`ruby
form do |f|
f.inputs name: resource.name do
f.input :name
f.input :description
end

f.actions
end
“`

Then a malicious user could create an entity with a payload that
would get executed in the active admin administrator’s browser.

Both `form` blocks with an implicit or explicit name (i.e., both
`form resource.name` or `form name: resource.name` would suffer
from the problem), where the value of the name can be arbitrarily
set by non admin users.

### Patches

The problem has been fixed in ActiveAdmin 3.2.2 and ActiveAdmin 4.0.0.beta7.

### Workarounds

Users can workaround this problem without upgrading by explicitly
escaping the form name using an HTML escaping utility. For example:

“`ruby
form do |f|
f.inputs name: ERB::Util.html_escape(resource.name) do
f.input :name
f.input :description
end

f.actions
end
“`
Upgrading is of course recommended though.

### References
https://owasp.org/www-community/attacks/xss/#stored-xss-attacks

READ MORE

Leave a Reply

Your email address will not be published. Required fields are marked *