Skip to content

CVE-2019-15587 - Loofah XSS Vulnerability #171

Closed
huginn/huginn
#2621
@flavorjones

Description

@flavorjones

CVE-2019-15587 - Loofah XSS Vulnerability

This issue has been created for public disclosure of an XSS vulnerability that was responsibly reported by https://hackerone.com/vxhex

I'd like to thank HackerOne for providing a secure, responsible mechanism for reporting, and for providing their fantastic service to the Loofah maintainers.

Severity

Loofah maintainers have evaluated this as Medium (CVSS3 6.4).

Description

In the Loofah gem, through v2.3.0, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.

Affected Versions

Loofah <= v2.3.0

Mitigation

Upgrade to Loofah v2.3.1 or later.

References

History of this public disclosure

2019-10-09: disclosure created, all information is embargoed
2019-10-22: embargo ends, full information made available
2019-10-22: corrected "affected versions" to read Loofah <= v2.3.0

Metadata

Metadata

Assignees

No one assigned

    Labels

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions