Updated advisory posts against rubysec/ruby-advisory-db@4d49a95

Author: jasnow

advisories/_posts/2025-03-28-CVE-2024-39311.md

@@ -0,0 +1,50 @@
+---
+layout: advisory
+title: 'CVE-2024-39311 (publify_core): Publify Vulnerable To Cross-Site Scripting
+  (XSS) Via Redirects Requiring User Interaction'
+comments: false
+categories:
+- publify_core
+advisory:
+  gem: publify_core
+  cve: 2024-39311
+  ghsa: 8fm5-gg2f-f66q
+  url: https://github.com/publify/publify/security/advisories/GHSA-8fm5-gg2f-f66q
+  title: Publify Vulnerable To Cross-Site Scripting (XSS) Via Redirects Requiring
+    User Interaction
+  date: 2025-03-28
+  description: |
+    ### Summary
+
+    A publisher on a `publify` application is able to perform a cross-site
+    scripting attack on an administrator using the redirect functionality.
+
+    ### Details
+
+    A publisher on a `publify` application is able to perform a cross-site
+    scripting attack on an administrator using the redirect functionality.
+    The exploitation of this XSS vulnerability requires the administrator
+    to click a malicious link.
+
+    We can create a redirect to a `javascript:alert()` URL. Whilst the
+    redirect itself doesn't work, on the administrative panel, an a tag
+    is created with the payload as the URI. Upon clicking this link,
+    the XSS is triggered.
+
+    An attack could attempt to hide their payload by using HTML, or
+    other encodings, as to not make it obvious to an administrator
+    that this is a malicious link.
+
+    ### Impact
+
+    A publisher may attempt to use this vulnerability to escalate their
+    privileges and become an administrator."
+  cvss_v4: 1.8
+  patched_versions:
+  - ">= 10.0.2"
+  related:
+    url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-39311
+    - https://github.com/publify/publify/security/advisories/GHSA-8fm5-gg2f-f66q
+    - https://github.com/advisories/GHSA-8fm5-gg2f-f66q
+---