Closed
Description
CVE-2018-16468 - Loofah XSS Vulnerability
This issue has been created for public disclosure of an XSS vulnerability that was responsibly reported (independently) by Shubham Pathak and @yasinS (Yasin Soliman).
I'd like to thank HackerOne for providing a secure, responsible mechanism for reporting, and for providing their fantastic service to the Loofah maintainers.
Severity
Loofah maintainers have evaluated this as Medium (CVSS3 6.4).
Description
In the Loofah gem, through v2.2.2, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.
Affected Versions
Loofah < v2.2.3.
Mitigation
Upgrade to Loofah v2.2.3.
References
History of this public disclosure
2018-10-27: disclosure created, all information is embargoed
2018-10-30: embargo ends, full information made available