[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] [CVE-2018-8048] Loofah XSS Vulnerability
From: Mike Dalessio <mike.dalessio () gmail ! com>
Date: 2018-03-19 21:08:14
Message-ID: CAGJbjKaR+G7r8DnrXmvf0hXgtSYh8VAU7cJRmt+7iqn1fzwizw () mail ! gmail ! com
[Download RAW message or body]
Hello all,
A *medium* severity vulnerability has been identified and patched in
Loofah, which is a library used by `rails-html-sanitizer`. This issue has
been assigned CVE-2018-8048.
The public notice can be found here:
https://github.com/flavorjones/loofah/issues/144
To save you a click, I've reproduced the contents of the initial
announcement here.
-----
*# CVE-2018-8048 - Loofah XSS Vulnerability*
This issue has been created for public disclosure of an XSS / code
injection vulnerability that was responsibly reported by the Shopify
Application Security Team.
*## Severity*
Medium (6.7)
*## Description*
Loofah allows non-whitelisted attributes to be present in sanitized output
when input with specially-crafted HTML fragments.
*## Affected Versions*
Loofah < 2.2.1, but only:
* when running on MRI or RBX,
* in combination with libxml2 >= 2.9.2.
Please note: JRuby users are not affected.
*## Mitigation*
Upgrade to Loofah 2.2.1.
*## History of this public disclosure*
2018-03-19: Initial vulnerability report published
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic