Re: [CVE-2019-15587] Loofah XSS Vulnerability

[Mike Dalessio <mike.dalessio () gmail com>]

Apologies - the "Affected Versions" section should have read *Loofah <=
v2.3.0*

On Tue, Oct 22, 2019 at 9:15 AM Mike Dalessio <mike.dalessio () gmail com>
wrote:

> Hello all,
>
> A *medium* severity vulnerability has been identified and patched in
> Loofah v2.3.1, which is a dependency of `rails-html-sanitizer`. This issue
> has been assigned CVE-2019-15587.
>
> The public notice can be found here:
>
>   https://github.com/flavorjones/loofah/issues/171
>
> To save you a click, I've reproduced the contents of the announcement here.
>
> ---
>
>
> *# CVE-2019-15587 - Loofah XSS Vulnerability*
> This issue has been created for public disclosure of an XSS vulnerability
> that was responsibly reported by https://hackerone.com/vxhex
>
> I'd like to thank [HackerOne](https://hackerone.com/loofah) for providing
> a secure, responsible mechanism for reporting, and for providing their
> fantastic service to the Loofah maintainers.
>
>
> *## Severity*
> Loofah maintainers have evaluated this as [Medium (CVSS3 6.4)](
> https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L
> ).
>
>
>
> *## Description*
> In the Loofah gem, through v2.3.0, unsanitized JavaScript may occur in
> sanitized output when a crafted SVG element is republished.
>
>
>
> *## Affected Versions*
> Loofah < v2.3.0
>
>
>
> *## Mitigation*
> Upgrade to Loofah v2.3.1 or later.