oss-sec mailing list archives
Re: [CVE-2019-15587] Loofah XSS Vulnerability
From: Mike Dalessio <mike.dalessio () gmail com>
Date: Tue, 22 Oct 2019 09:24:20 -0400
Apologies - the "Affected Versions" section should have read *Loofah <= v2.3.0* On Tue, Oct 22, 2019 at 9:15 AM Mike Dalessio <mike.dalessio () gmail com> wrote:
Hello all, A *medium* severity vulnerability has been identified and patched in Loofah v2.3.1, which is a dependency of `rails-html-sanitizer`. This issue has been assigned CVE-2019-15587. The public notice can be found here: https://github.com/flavorjones/loofah/issues/171 To save you a click, I've reproduced the contents of the announcement here. --- *# CVE-2019-15587 - Loofah XSS Vulnerability* This issue has been created for public disclosure of an XSS vulnerability that was responsibly reported by https://hackerone.com/vxhex I'd like to thank [HackerOne](https://hackerone.com/loofah) for providing a secure, responsible mechanism for reporting, and for providing their fantastic service to the Loofah maintainers. *## Severity* Loofah maintainers have evaluated this as [Medium (CVSS3 6.4)]( https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L ). *## Description* In the Loofah gem, through v2.3.0, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished. *## Affected Versions* Loofah < v2.3.0 *## Mitigation* Upgrade to Loofah v2.3.1 or later.
Current thread:
- [CVE-2019-15587] Loofah XSS Vulnerability Mike Dalessio (Oct 22)
- Re: [CVE-2019-15587] Loofah XSS Vulnerability Mike Dalessio (Oct 22)