Closed
Description
CVE-2019-15587 - Loofah XSS Vulnerability
This issue has been created for public disclosure of an XSS vulnerability that was responsibly reported by https://hackerone.com/vxhex
I'd like to thank HackerOne for providing a secure, responsible mechanism for reporting, and for providing their fantastic service to the Loofah maintainers.
Severity
Loofah maintainers have evaluated this as Medium (CVSS3 6.4).
Description
In the Loofah gem, through v2.3.0, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.
Affected Versions
Loofah <= v2.3.0
Mitigation
Upgrade to Loofah v2.3.1 or later.
References
- HackerOne report (private)
History of this public disclosure
2019-10-09: disclosure created, all information is embargoed
2019-10-22: embargo ends, full information made available
2019-10-22: corrected "affected versions" to read Loofah <= v2.3.0