Skip to content

CVE-2018-16468 - Loofah XSS Vulnerability #154

Closed
@flavorjones

Description

@flavorjones

CVE-2018-16468 - Loofah XSS Vulnerability

This issue has been created for public disclosure of an XSS vulnerability that was responsibly reported (independently) by Shubham Pathak and @yasinS (Yasin Soliman).

I'd like to thank HackerOne for providing a secure, responsible mechanism for reporting, and for providing their fantastic service to the Loofah maintainers.

Severity

Loofah maintainers have evaluated this as Medium (CVSS3 6.4).

Description

In the Loofah gem, through v2.2.2, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.

Affected Versions

Loofah < v2.2.3.

Mitigation

Upgrade to Loofah v2.2.3.

References

History of this public disclosure

2018-10-27: disclosure created, all information is embargoed
2018-10-30: embargo ends, full information made available

Metadata

Metadata

Assignees

No one assigned

    Labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions