oss-sec mailing list archives
[CVE-2018-16468] Loofah XSS Vulnerability
From: Mike Dalessio <mike.dalessio () gmail com>
Date: Tue, 30 Oct 2018 09:14:52 -0400
Hello all, A *medium* severity vulnerability has been identified and patched in Loofah v2.2.3, which is a dependency of `rails-html-sanitizer`. This issue has been assigned CVE-2018-16468. The public notice can be found here: https://github.com/flavorjones/loofah/issues/154 To save you a click, I've reproduced the contents of the announcement here. ----- *# CVE-2018-16468 - Loofah XSS Vulnerability* This issue has been created for public disclosure of an XSS vulnerability that was responsibly reported (independently) by [Shubham Pathak]( https://hackerone.com/hackedbrain) and @yasinS (Yasin Soliman). I'd like to thank [HackerOne](https://hackerone.com/loofah) for providing a secure, responsible mechanism for reporting, and for providing their fantastic service to the Loofah maintainers. *## Severity* Loofah maintainers have evaluated this as [Medium (CVSS3 6.4)]( https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L ). *## Description* In the Loofah gem, through v2.2.2, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished. *## Affected Versions* Loofah < v2.2.3. *## Mitigation* Upgrade to Loofah v2.2.3. *## References* * [HackerOne report](https://hackerone.com/reports/429267) *## History of this public disclosure* 2018-10-27: disclosure created, all information is embargoed 2018-10-30: embargo ends, full information made available
Current thread:
- [CVE-2018-16468] Loofah XSS Vulnerability Mike Dalessio (Oct 30)