[CVE-2018-8048] Loofah XSS Vulnerability

1,250 views

Skip to first unread message

Rafael Mendonça França

unread,

Mar 19, 2018, 5:18:15 PM3/19/18

to rubyonrail...@googlegroups.com

Hello all,

A medium severity vulnerability has been identified and patched in Loofah, which is a library used by `rails-html-sanitizer`. This issue has been assigned CVE-2018-8048.

The public notice can be found here:

https://github.com/flavorjones/loofah/issues/144

To save you a click, I've reproduced the contents of the initial announcement here.

-----

# CVE-2018-8048 - Loofah XSS Vulnerability

This issue has been created for public disclosure of an XSS / code injection vulnerability that was responsibly reported by the Shopify Application Security Team.

## Severity

Medium (6.7)

## Description

Loofah allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments.

## Affected Versions

Loofah < 2.2.1, but only:

* when running on MRI or RBX,

* in combination with libxml2 >= 2.9.2.

Please note: JRuby users are not affected.

## Mitigation

Upgrade to Loofah 2.2.1.

## History of this public disclosure

2018-03-19: Initial vulnerability report published

Reply all

Reply to author

Forward

0 new messages