VIR Vulnerability Intelligence Relay

CVE-2023-23913

unknown
Published 2023-03-13 · Modified 2025-01-09
CVSS v3
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
CVSS v2
VIR risk

Description

There is a potential DOM based cross-site scripting issue in rails-ujs which leverages the Clipboard API to target HTML elements that are assigned the contenteditable attribute. This has the potential to occur when pasting malicious HTML content from the clipboard that includes a data-method, data-remote or data-disable-with attribute.

Predictions

Exploit likelihood
30%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2023-23913

vendor Authored 2026-05-27

Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2023-23913.html

OS impact
OSVersionStatusFixed in
suse slesaffected
debian debianbookwormfixed2:6.1.7.3+dfsg-1
debian debianbullseyefixed2:6.0.3.7+dfsg-2+deb11u2
debian debianforkyfixed2:6.1.7.3+dfsg-1
debian debiansidfixed2:6.1.7.3+dfsg-1
debian debiantrixiefixed2:6.1.7.3+dfsg-1

Package impact
EcosystemPackageVulnerableFixed
ruby RubyGemsactionview!< 5.1.0||<~> 6.1.7.3~> 6.1.7.3
ruby RubyGemsactionview>=5.1.0,<6.1.7.36.1.7.3
ruby RubyGemsactionview>=7.0.0,<7.0.4.37.0.4.3

References

Verify integrity in audit chain (admin only). AS-IS.