[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] [CVE-2018-8048] Loofah XSS Vulnerability
From:       Mike Dalessio <mike.dalessio () gmail ! com>
Date:       2018-03-19 21:08:14
Message-ID: CAGJbjKaR+G7r8DnrXmvf0hXgtSYh8VAU7cJRmt+7iqn1fzwizw () mail ! gmail ! com
[Download RAW message or body]


Hello all,

A *medium* severity vulnerability has been identified and patched in
Loofah, which is a library used by `rails-html-sanitizer`. This issue has
been assigned CVE-2018-8048.

The public notice can be found here:

    https://github.com/flavorjones/loofah/issues/144

To save you a click, I've reproduced the contents of the initial
announcement here.

-----

*# CVE-2018-8048 - Loofah XSS Vulnerability*

This issue has been created for public disclosure of an XSS / code
injection vulnerability that was responsibly reported by the Shopify
Application Security Team.

*## Severity*

Medium (6.7)


*## Description*

Loofah allows non-whitelisted attributes to be present in sanitized output
when input with specially-crafted HTML fragments.


*## Affected Versions*

Loofah < 2.2.1, but only:

* when running on MRI or RBX,
* in combination with libxml2 >= 2.9.2.

Please note: JRuby users are not affected.


*## Mitigation*

Upgrade to Loofah 2.2.1.


*## History of this public disclosure*

2018-03-19: Initial vulnerability report published


[prev in list] [next in list] [prev in thread] [next in thread]