CVE-2024-39311

MEDIUM

Publify < 10.0.1 - Cross-Site Scripting via Redirect Functionality

Title source: llm

Description

Publify is a self hosted Web publishing platform on Rails. Prior to version 10.0.1 of Publify, corresponding to versions prior to 10.0.2 of the `publify_core` rubygem, publisher on a `publify` application is able to perform a cross-site scripting (XSS) attack on an administrator using the redirect functionality. The exploitation of this XSS vulnerability requires the administrator to click a malicious link. An attack could attempt to hide their payload by using HTML, or other encodings, as to not make it obvious to an administrator that this is a malicious link. A publisher may attempt to use this vulnerability to escalate their privileges and become an administrator. Version 10.0.1 of Publify and version 10.0.2 of the `publify_core` rubygem fix the issue.

References (1)

Core 1

Core References

Exploit, Vendor Advisory x_refsource_confirm

https://github.com/publify/publify/security/advisories/GHSA-8fm5-gg2f-f66q

Scores

CVSS v3 5.4

EPSS 0.0018

EPSS Percentile 39.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (3)

publify/publify < 10.0.1

publify/publify_core < 10.0.2

rubygems/publify_core 0 - 10.0.2RubyGems

Published Mar 28, 2025

Tracked Since Feb 18, 2026