Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
CVE-2018-8048 - Loofah XSS Vulnerability #144
CVE-2018-8048 - Loofah XSS Vulnerability
This issue has been created for public disclosure of an XSS / code injection vulnerability that was responsibly reported by the Shopify Application Security Team.
(this CVSS3 score is RedHat's assessment)
Loofah allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments.
Loofah < 2.2.1, but only:
Please note: JRuby users are not affected.
Upgrade to Loofah 2.2.1.
History of this public disclosure
2018-03-19: Initial vulnerability report published