oss-sec mailing list archives
[CVE-2018-8048] Loofah XSS Vulnerability
From: Mike Dalessio <mike.dalessio () gmail com>
Date: Mon, 19 Mar 2018 17:08:14 -0400
Hello all, A *medium* severity vulnerability has been identified and patched in Loofah, which is a library used by `rails-html-sanitizer`. This issue has been assigned CVE-2018-8048. The public notice can be found here: https://github.com/flavorjones/loofah/issues/144 To save you a click, I've reproduced the contents of the initial announcement here. ----- *# CVE-2018-8048 - Loofah XSS Vulnerability* This issue has been created for public disclosure of an XSS / code injection vulnerability that was responsibly reported by the Shopify Application Security Team. *## Severity* Medium (6.7) *## Description* Loofah allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments. *## Affected Versions* Loofah < 2.2.1, but only: * when running on MRI or RBX, * in combination with libxml2 >= 2.9.2. Please note: JRuby users are not affected. *## Mitigation* Upgrade to Loofah 2.2.1. *## History of this public disclosure* 2018-03-19: Initial vulnerability report published
Current thread:
- [CVE-2018-8048] Loofah XSS Vulnerability Mike Dalessio (Mar 19)