Coordinated Disclosure Timeline
- 2023-04-13: Asked the maintainer for a security contact.
- 2023-04-14: Got a response and sent report.
- 2023-04-20: Issue was fixed and advisory for CVE-2023-30614 was published.
Cross-site scripting in payments display page (
A payments info page of Pay was susceptible to reflected Cross-site scripting. An attacker could have created a working URL that renders a
show method of the PaymentsController class, the user-controlled value of the parameter named
back is assigned to the instance variable named
@redirect_to = params[:back].presence || root_path
This value is then rendered using a
link_to helper function in the corresponding view (show.html.erb):
<%= link_to t("pay.back"), @redirect_to, [..]
link_to view helper does not check the protocol of the provided URL, this makes it possible to provide an URL starting with
This vulnerability was found using CodeQL’s reflected cross-site scripting query for Ruby.
Proof of Concept
Precondition: The attacker needs to know a valid Stripe Payment Intent ID for the targeted page. This Payment Intent ID doesn’t need to be newly created to work. (So the attacker can start a payment themselves and copy the payment intent ID.)
The attacker can then construct an URL such as:
E.g., such a URL could look like this:
This issue may lead to Sensitive data disclosure due to reflected Cross-site scripting (XSS).
This issue was discovered and reported by GHSL team member @p- (Peter Stöckli).
You can contact the GHSL team at
firstname.lastname@example.org, please include a reference to
GHSL-2023-084 in any communication regarding this issue.