CVE-2023-23913
📋 TL;DR
This DOM-based cross-site scripting vulnerability in rails-ujs allows attackers to inject malicious scripts when users paste clipboard content into contenteditable HTML elements. It affects Ruby on Rails applications using rails-ujs with contenteditable elements. Attackers could steal session cookies, redirect users, or perform actions on behalf of authenticated users.
💻 Affected Systems
- Ruby on Rails
- rails-ujs
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full account takeover, session hijacking, data theft, and unauthorized actions performed as authenticated users
Likely Case
Session cookie theft leading to account compromise, phishing attacks, or defacement of user-specific content
If Mitigated
Limited impact with proper Content Security Policy, input sanitization, and user awareness about pasting untrusted content
🎯 Exploit Status
Exploitation requires user interaction (pasting malicious content) but no authentication. Proof-of-concept exists in public discussions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: rails-ujs 7.0.5 or Rails 7.0.4.2
Vendor Advisory: https://discuss.rubyonrails.org/t/cve-2023-23913-dom-based-cross-site-scripting-in-rails-ujs-for-contenteditable-html-elements/82468
Restart Required: Yes
Instructions:
1. Update rails-ujs to version 7.0.5 or higher. 2. For Rails applications, update to Rails 7.0.4.2 or higher. 3. Restart your application server. 4. Clear browser caches and test functionality.
🔧 Temporary Workarounds
Disable contenteditable elements
allRemove or disable contenteditable attribute from HTML elements in your application
Find and remove contenteditable="true" attributes from HTML templates
Implement Content Security Policy
allAdd strict CSP headers to prevent script execution from untrusted sources
Add Content-Security-Policy header with script-src 'self'
🧯 If You Can't Patch
- Implement input sanitization for all contenteditable elements using DOMPurify or similar library
- Educate users about risks of pasting untrusted content into editable fields
🔍 How to Verify
Check if Vulnerable:
Check if your application uses rails-ujs version < 7.0.5 and has HTML elements with contenteditable attributeCheck Version:
bundle show rails-ujs or npm list rails-ujsVerify Fix Applied:
Verify rails-ujs version is >= 7.0.5 in package.json or gemfile.lock, and test pasting content into contenteditable elements📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests with data-method/data-remote attributes from unexpected sources
- JavaScript errors related to clipboard operations
Network Indicators:
- Requests containing malicious script tags in POST data
- Unexpected redirects after form submissions
SIEM Query:
source="web_server" AND (data-method OR data-remote) AND contains("<script>")🔗 References
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033263
- https://discuss.rubyonrails.org/t/cve-2023-23913-dom-based-cross-site-scripting-in-rails-ujs-for-contenteditable-html-elements/82468
- https://github.com/rails/rails/commit/5037a13614d71727af8a175063bcf6ba1a74bdbd
- https://security.netapp.com/advisory/ntap-20240605-0007/
- https://www.debian.org/security/2023/dsa-5389
