SCA: security update for phlex (GHSA-242p-4v39-2v8g)

medium Tenable Self-Hosted Container Security Plugin ID 408655

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- phlex is an open source framework for building object-oriented views in Ruby. There is a potential cross-
site scripting (XSS) vulnerability that can be exploited via maliciously crafted user data. This was due
to improper case-sensitivity in the code that was meant to prevent these attacks. If you render an `<a>`
tag with an `href` attribute set to a user-provided link, that link could potentially execute JavaScript
when clicked by another user. If you splat user-provided attributes when rendering any HTML tag, malicious
event attributes could be included in the output, executing JavaScript when the events are triggered by
another user. Patches are available on RubyGems for all 1.x minor versions. Users are advised to upgrade.
Users unable to upgrade should consider configuring a content security policy that does not allow `unsafe-
inline`. (CVE-2024-28199)

See Also

https://github.com/advisories/GHSA-242p-4v39-2v8g

Plugin Details

Severity: Medium

ID: 408655

Version: Revision 1.9

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 2.3

Percentile: 9.14

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 4.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2024-28199

CVSS v3

Risk Factor: Medium

Base Score: 6.1

Temporal Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 3/12/2024

Vulnerability Publication Date: 3/11/2024

Reference Information

CVE: CVE-2024-28199

cwe: CWE-79