[CVE-2018-8048] Loofah XSS Vulnerability

47 views
Skip to first unread message

Mike Dalessio

unread,
Mar 19, 2018, 5:08:38 PM3/19/18
to ruby-sec...@googlegroups.com, rubyonrail...@googlegroups.com, oss-se...@lists.openwall.com, nokogiri-talk
Hello all,

A medium severity vulnerability has been identified and patched in Loofah, which is a library used by `rails-html-sanitizer`. This issue has been assigned CVE-2018-8048.

The public notice can be found here:


To save you a click, I've reproduced the contents of the initial announcement here.

-----

# CVE-2018-8048 - Loofah XSS Vulnerability

This issue has been created for public disclosure of an XSS / code injection vulnerability that was responsibly reported by the Shopify Application Security Team.

## Severity

Medium (6.7)


## Description

Loofah allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments.


## Affected Versions

Loofah < 2.2.1, but only:

* when running on MRI or RBX,
* in combination with libxml2 >= 2.9.2.

Please note: JRuby users are not affected.


## Mitigation

Upgrade to Loofah 2.2.1.


## History of this public disclosure

2018-03-19: Initial vulnerability report published

Reply all
Reply to author
Forward
0 new messages