CVE-2024-39311: Publify Vulnerable To Cross-Site Scripting (XSS) Via Redirects Requiring User Interaction

1.8 CVSS

Description

Publify is a self hosted Web publishing platform on Rails. Prior to version 10.0.1 of Publify, corresponding to versions prior to 10.0.2 of the `publify_core` rubygem, publisher on a `publify` application is able to perform a cross-site scripting (XSS) attack on an administrator using the redirect functionality. The exploitation of this XSS vulnerability requires the administrator to click a malicious link. An attack could attempt to hide their payload by using HTML, or other encodings, as to not make it obvious to an administrator that this is a malicious link. A publisher may attempt to use this vulnerability to escalate their privileges and become an administrator. Version 10.0.1 of Publify and version 10.0.2 of the `publify_core` rubygem fix the issue.

Classification

CVE ID: CVE-2024-39311

CVSS Base Severity: LOW

CVSS Base Score: 1.8

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P

Problem Types

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected Products

Vendor: publify

Product: publify

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.03% (probability of being exploited)

EPSS Percentile: 6.15% (scored less or equal to compared to others)

EPSS Date: 2025-04-18 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2024-39311
https://github.com/publify/publify/security/advisories/GHSA-8fm5-gg2f-f66q

Timeline

2025-03-28 15:40:16 UTC
CVE

Publify Vulnerable To Cross-Site Scripting (XSS) Via Redirects Requiring User Interaction
2025-03-28 17:15:35 UTC
Github Advisory Database (RubyGems)

[publify_core] Publify Vulnerable To Cross-Site Scripting (XSS) Via Redirects Requiring User Interaction