From 83c299ee790ea7a68b1985bcb5f97db5ebe61444 Mon Sep 17 00:00:00 2001
From: Al Snow <43523+jasnow@users.noreply.github.com>
Date: Tue, 9 Jul 2024 17:04:42 +0000
Subject: [PATCH] Updated advisory posts against
 rubysec/ruby-advisory-db@577457f

---
 .../_posts/2024-07-08-CVE-2024-39308.md       | 55 +++++++++++++++++++
 1 file changed, 55 insertions(+)
 create mode 100644 advisories/_posts/2024-07-08-CVE-2024-39308.md

diff --git a/advisories/_posts/2024-07-08-CVE-2024-39308.md b/advisories/_posts/2024-07-08-CVE-2024-39308.md
new file mode 100644
index 0000000..94569b9
--- /dev/null
+++ b/advisories/_posts/2024-07-08-CVE-2024-39308.md
@@ -0,0 +1,55 @@
+---
+layout: advisory
+title: 'CVE-2024-39308 (rails_admin): RailsAdmin Cross-site Scripting vulnerability
+  in the list view'
+comments: false
+categories:
+- rails_admin
+advisory:
+  gem: rails_admin
+  cve: 2024-39308
+  ghsa: 8qgm-g2vv-vwvc
+  url: https://github.com/railsadminteam/rails_admin/security/advisories/GHSA-8qgm-g2vv-vwvc
+  title: RailsAdmin Cross-site Scripting vulnerability in the list view
+  date: 2024-07-08
+  description: |
+    ### Impact
+    RailsAdmin list view has the XSS vulnerability, caused by
+    improperly-escaped HTML title attribute. The issue was originally
+    reported in https://github.com/railsadminteam/rails_admin/issues/3686.
+
+    ### Patches
+    Upgrade to [3.1.3](https://rubygems.org/gems/rails_admin/versions/3.1.3)
+    or [2.3.0](https://rubygems.org/gems/rails_admin/versions/2.3.0).
+
+    ### Workarounds
+    1. Copy the index view (located under the path
+       `app/views/rails_admin/main/index.html.erb`) from the RailsAdmin
+       version you use, and place it into your application by using
+       the same path.
+
+    2. Open the view file by an editor, and remove `strip_tags` from
+       the title attribute (as shown in GHSA advisory below).
+
+    **Note:** The view file created by this needs to be removed after
+    upgrading RailsAdmin afterwards, unless this old view continue to
+    be used. Only do this if you can't upgrade RailsAdmin now for a reason.
+
+    ### References
+    https://owasp.org/www-community/attacks/xss/
+    https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-strip_tags
+  cvss_v3: 6.8
+  patched_versions:
+  - "~> 2.3.0"
+  - ">= 3.1.3"
+  related:
+    url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-39308
+    - https://github.com/railsadminteam/rails_admin/security/advisories/GHSA-8qgm-g2vv-vwvc
+    - https://github.com/railsadminteam/rails_admin/issues/3686
+    - https://github.com/railsadminteam/rails_admin/commit/b5a287d82e2cbd1737a1a01e11ede2911cce7fef
+    - https://github.com/railsadminteam/rails_admin/commit/d84b39884059c4ed50197cec8522cca029a17673
+    - https://rubygems.org/gems/rails_admin/versions/2.3.0
+    - https://rubygems.org/gems/rails_admin/versions/3.1.3
+    - https://github.com/advisories/GHSA-8qgm-g2vv-vwvc
+---