oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

[CVE-2018-8048] Loofah XSS Vulnerability

From: Mike Dalessio <mike.dalessio () gmail com>
Date: Mon, 19 Mar 2018 17:08:14 -0400
Hello all,

A *medium* severity vulnerability has been identified and patched in
Loofah, which is a library used by `rails-html-sanitizer`. This issue has
been assigned CVE-2018-8048.

The public notice can be found here:

    https://github.com/flavorjones/loofah/issues/144

To save you a click, I've reproduced the contents of the initial
announcement here.

-----

*# CVE-2018-8048 - Loofah XSS Vulnerability*

This issue has been created for public disclosure of an XSS / code
injection vulnerability that was responsibly reported by the Shopify
Application Security Team.

*## Severity*

Medium (6.7)


*## Description*

Loofah allows non-whitelisted attributes to be present in sanitized output
when input with specially-crafted HTML fragments.


*## Affected Versions*

Loofah < 2.2.1, but only:

* when running on MRI or RBX,
* in combination with libxml2 >= 2.9.2.

Please note: JRuby users are not affected.


*## Mitigation*

Upgrade to Loofah 2.2.1.


*## History of this public disclosure*

2018-03-19: Initial vulnerability report published
Previous By Date Next
Previous By Thread Next

Current thread: