{"schema_version":"1.7.3","id":"GHSA-5xq9-h3j2-jxvc","published":"2023-05-11T18:30:17Z","modified":"2026-02-03T02:56:54.353983Z","aliases":["CVE-2023-25309"],"summary":"Cross Site Scripting (XSS) Vulnerability in Fetlife rollout-ui gem","details":"Cross Site Scripting (XSS) Vulnerability in Fetlife rollout-ui version 0.5, allows attackers to execute arbitrary code via a crafted url to the delete a feature functionality.","affected":[{"package":{"name":"rollout-ui","ecosystem":"RubyGems","purl":"pkg:gem/rollout-ui"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.5.3"}]}],"versions":["0.1.0","0.2.0","0.3.0","0.4.0","0.5.0","0.5.1","0.5.2"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/05/GHSA-5xq9-h3j2-jxvc/GHSA-5xq9-h3j2-jxvc.json"}}],"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-25309"},{"type":"WEB","url":"https://github.com/fetlife/rollout-ui/pull/15"},{"type":"WEB","url":"https://github.com/fetlife/rollout-ui/commit/713d9c2edd4d7b0d8c287bea960d3c6bd2c5b306"},{"type":"WEB","url":"https://cxsecurity.com/issue/WLB-2023050012"},{"type":"PACKAGE","url":"https://github.com/fetlife/rollout-ui"},{"type":"WEB","url":"https://github.com/fetlife/rollout-ui/releases/tag/v0.5.3"},{"type":"WEB","url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rollout-ui/CVE-2023-25309.yml"},{"type":"WEB","url":"https://packetstormsecurity.com/files/172185/Rollout-UI-0.5-Cross-Site-Scripting.html"}],"database_specific":{"cwe_ids":["CWE-79"],"github_reviewed":true,"github_reviewed_at":"2026-01-20T20:59:24Z","nvd_published_at":"2023-05-11T18:15:12Z","severity":"MODERATE"},"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}