[CVE-2018-8048] Loofah XSS Vulnerability

1239 views
Skip to first unread message

Rafael Mendonça França

unread,
Mar 19, 2018, 5:18:15 PM3/19/18
to rubyonrail...@googlegroups.com

Hello all,


A medium severity vulnerability has been identified and patched in Loofah, which is a library used by `rails-html-sanitizer`. This issue has been assigned CVE-2018-8048.


The public notice can be found here:


    https://github.com/flavorjones/loofah/issues/144


To save you a click, I've reproduced the contents of the initial announcement here.


-----


# CVE-2018-8048 - Loofah XSS Vulnerability


This issue has been created for public disclosure of an XSS / code injection vulnerability that was responsibly reported by the Shopify Application Security Team.


## Severity


Medium (6.7)


## Description


Loofah allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments.


## Affected Versions


Loofah < 2.2.1, but only:


* when running on MRI or RBX,

* in combination with libxml2 >= 2.9.2.


Please note: JRuby users are not affected.


## Mitigation


Upgrade to Loofah 2.2.1.


## History of this public disclosure


2018-03-19: Initial vulnerability report published

Reply all
Reply to author
Forward
0 new messages