Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.
Sign upCVE-2019-15587 - Loofah XSS Vulnerability #171
Closed
Comments
flavorjones
changed the title
flavorjones
added a commit
that referenced
this issue
Oct 22, 2019
this addresses CVE-2019-15587 see #171 for more information #171
flavorjones
changed the title
This comment has been minimized.
This comment has been minimized.
|
This issue has been updated with full unembargoed information. |
This comment has been minimized.
This comment has been minimized.
|
v2.3.1 is released which addresses this vulnerability. |
This comment has been minimized.
This comment has been minimized.
|
The "affected versions" section contains "< 2.3.0", but reading the rest of the report I assume this should be < 2.3.1 (that is, including 2.3.0)? |
This comment has been minimized.
This comment has been minimized.
|
@graaff You're right, I've corrected it to |
netbsd-srcmastr
pushed a commit
to NetBSD/pkgsrc
that referenced
this issue
Oct 22, 2019
## 2.3.1 / 2019-10-22 ### Security Address CVE-2019-15587: Unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished. This CVE's public notice is at flavorjones/loofah#171 ## 2.3.0 / unreleased ### Features * Expand set of allowed protocols to include `tel:` and `line:`. [#104, #147] * Expand set of allowed CSS functions. [related to #122] * Allow greater precision in shorthand CSS values. [#149] (Thanks, @danfstucky!) * Allow CSS property `list-style` [#162] (Thanks, @jaredbeck!) * Allow CSS keywords `thick` and `thin` [#168] (Thanks, @georgeclaghorn!) * Allow HTML property `contenteditable` [#167] (Thanks, @andreynering!) ### Bug fixes * CSS hex values are no longer limited to lowercase hex. Previously uppercase hex were scrubbed. [#165] (Thanks, @asok!) ### Deprecations / Name Changes The following method and constants are hereby deprecated, and will be completely removed in a future release: * Deprecate `Loofah::Helpers::ActionView.white_list_sanitizer`, please use `Loofah::Helpers::ActionView.safe_list_sanitizer` instead. * Deprecate `Loofah::Helpers::ActionView::WhiteListSanitizer`, please use `Loofah::Helpers::ActionView::SafeListSanitizer` instead. * Deprecate `Loofah::HTML5::WhiteList`, please use `Loofah::HTML5::SafeList` instead. Thanks to @JuanitoFatas for submitting these changes in #164 and for making the language used in Loofah more inclusive.
netbsd-srcmastr
pushed a commit
to NetBSD/pkgsrc
that referenced
this issue
Oct 23, 2019
www/ruby-loofah: seucurity fix Revisions pulled up: - www/ruby-loofah/Makefile 1.6 - www/ruby-loofah/PLIST 1.5 - www/ruby-loofah/distinfo 1.6 --- Module Name: pkgsrc Committed By: taca Date: Tue Oct 22 16:24:20 UTC 2019 Modified Files: pkgsrc/www/ruby-loofah: Makefile PLIST distinfo Log Message: www/ruby-loofah: update to 2.3.1 ## 2.3.1 / 2019-10-22 ### Security Address CVE-2019-15587: Unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished. This CVE's public notice is at flavorjones/loofah#171 ## 2.3.0 / unreleased ### Features * Expand set of allowed protocols to include `tel:` and `line:`. [#104, #147] * Expand set of allowed CSS functions. [related to #122] * Allow greater precision in shorthand CSS values. [#149] (Thanks, @danfstucky!) * Allow CSS property `list-style` [#162] (Thanks, @jaredbeck!) * Allow CSS keywords `thick` and `thin` [#168] (Thanks, @georgeclaghorn!) * Allow HTML property `contenteditable` [#167] (Thanks, @andreynering!) ### Bug fixes * CSS hex values are no longer limited to lowercase hex. Previously uppercase hex were scrubbed. [#165] (Thanks, @asok!) ### Deprecations / Name Changes The following method and constants are hereby deprecated, and will be completely removed in a future release: * Deprecate `Loofah::Helpers::ActionView.white_list_sanitizer`, please use `Loofah::Helpers::ActionView.safe_list_sanitizer` instead. * Deprecate `Loofah::Helpers::ActionView::WhiteListSanitizer`, please use `Loofah::Helpers::ActionView::SafeListSanitizer` instead. * Deprecate `Loofah::HTML5::WhiteList`, please use `Loofah::HTML5::SafeList` instead. Thanks to @JuanitoFatas for submitting these changes in #164 and for making the language used in Loofah more inclusive.
kylorhall
added a commit
to sharesight/help.sharesight.com
that referenced
this issue
Oct 24, 2019
Name: loofah Version: 2.3.0 Advisory: CVE-2019-15587 Criticality: Unknown URL: flavorjones/loofah#171 Title: Loofah XSS Vulnerability Solution: upgrade to >= 2.3.1
kylorhall
added a commit
to sharesight/www.sharesight.com
that referenced
this issue
Oct 24, 2019
Name: loofah Version: 2.3.0 Advisory: CVE-2019-15587 Criticality: Unknown URL: flavorjones/loofah#171 Title: Loofah XSS Vulnerability Solution: upgrade to >= 2.3.1
Merged
rokumatsumoto
added a commit
to rokumatsumoto/boyutluseyler
that referenced
this issue
Oct 24, 2019
Vulnerability CVE-2019-15587 In the Loofah gem for Ruby through v2.3.0 unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished. flavorjones/loofah#171
pablobm
added a commit
to pablobm/administrate
that referenced
this issue
Oct 25, 2019
Name: loofah Version: 2.3.0 Advisory: CVE-2019-15587 Criticality: Unknown URL: flavorjones/loofah#171 Title: Loofah XSS Vulnerability Solution: upgrade to >= 2.3.1
dentarg
added a commit
to twingly/feedjira.herokuapp.com
that referenced
this issue
Oct 25, 2019
mr run: /home/travis/build/twingly/audit/repos/feedjira.herokuapp.com Name: loofah Version: 2.2.3 Advisory: CVE-2019-15587 Criticality: Unknown URL: flavorjones/loofah#171 Title: Loofah XSS Vulnerability Solution: upgrade to >= 2.3.1
senid231
added a commit
to senid231/yeti-web
that referenced
this issue
Oct 27, 2019
Name: loofah Version: 2.2.3 Advisory: CVE-2019-15587 Criticality: Unknown URL: flavorjones/loofah#171 Title: Loofah XSS Vulnerability Solution: upgrade to >= 2.3.1
czimergebot
added a commit
to chanzuckerberg/idseq-web
that referenced
this issue
Nov 6, 2019
Bump loofah from 2.2.3 to 2.3.1Bumps [loofah](https://github.com/flavorjones/loofah) from 2.2.3 to 2.3.1. <details> <summary>Release notes</summary> *Sourced from [loofah's releases](https://github.com/flavorjones/loofah/releases).* > ## 2.3.1 / 2019-10-22 > > ### Security > > Address CVE-2019-15587: Unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished. > > This CVE's public notice is at [flavorjones/loofah#171](https://github-redirect.dependabot.com/flavorjones/loofah/issues/171) > > ## 2.3.0 / 2019-09-28 > > ### Features > > * Expand set of allowed protocols to include `tel:` and `line:`. [#104, [#147](https://github-redirect.dependabot.com/flavorjones/loofah/issues/147)] > * Expand set of allowed CSS functions. [related to [#122](https://github-redirect.dependabot.com/flavorjones/loofah/issues/122)] > * Allow greater precision in shorthand CSS values. [#149](https://github-redirect.dependabot.com/flavorjones/loofah/issues/149) (Thanks, [@​danfstucky](https://github.com/danfstucky)!) > * Allow CSS property `list-style` [#162](https://github-redirect.dependabot.com/flavorjones/loofah/issues/162) (Thanks, [@​jaredbeck](https://github.com/jaredbeck)!) > * Allow CSS keywords `thick` and `thin` [#168](https://github-redirect.dependabot.com/flavorjones/loofah/issues/168) (Thanks, [@​georgeclaghorn](https://github.com/georgeclaghorn)!) > * Allow HTML property `contenteditable` [#167](https://github-redirect.dependabot.com/flavorjones/loofah/issues/167) (Thanks, [@​andreynering](https://github.com/andreynering)!) > > > ### Bug fixes > > * CSS hex values are no longer limited to lowercase hex. Previously uppercase hex were scrubbed. [#165](https://github-redirect.dependabot.com/flavorjones/loofah/issues/165) (Thanks, [@​asok](https://github.com/asok)!) > > > ### Deprecations / Name Changes > > The following method and constants are hereby deprecated, and will be completely removed in a future release: > > * Deprecate `Loofah::Helpers::ActionView.white_list_sanitizer`, please use `Loofah::Helpers::ActionView.safe_list_sanitizer` instead. > * Deprecate `Loofah::Helpers::ActionView::WhiteListSanitizer`, please use `Loofah::Helpers::ActionView::SafeListSanitizer` instead. > * Deprecate `Loofah::HTML5::WhiteList`, please use `Loofah::HTML5::SafeList` instead. > > Thanks to [@​JuanitoFatas](https://github.com/JuanitoFatas) for submitting these changes in [#164](https://github-redirect.dependabot.com/flavorjones/loofah/issues/164) and for making the language used in Loofah more inclusive. > > </details> <details> <summary>Changelog</summary> *Sourced from [loofah's changelog](https://github.com/flavorjones/loofah/blob/master/CHANGELOG.md).* > ## 2.3.1 / 2019-10-22 > > ### Security > > Address CVE-2019-15587: Unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished. > > This CVE's public notice is at [flavorjones/loofah#171](https://github-redirect.dependabot.com/flavorjones/loofah/issues/171) > > > ## 2.3.0 / 2019-09-28 > > ### Features > > * Expand set of allowed protocols to include `tel:` and `line:`. [#104, [#147](https://github-redirect.dependabot.com/flavorjones/loofah/issues/147)] > * Expand set of allowed CSS functions. [related to [#122](https://github-redirect.dependabot.com/flavorjones/loofah/issues/122)] > * Allow greater precision in shorthand CSS values. [#149](https://github-redirect.dependabot.com/flavorjones/loofah/issues/149) (Thanks, [@​danfstucky](https://github.com/danfstucky)!) > * Allow CSS property `list-style` [#162](https://github-redirect.dependabot.com/flavorjones/loofah/issues/162) (Thanks, [@​jaredbeck](https://github.com/jaredbeck)!) > * Allow CSS keywords `thick` and `thin` [#168](https://github-redirect.dependabot.com/flavorjones/loofah/issues/168) (Thanks, [@​georgeclaghorn](https://github.com/georgeclaghorn)!) > * Allow HTML property `contenteditable` [#167](https://github-redirect.dependabot.com/flavorjones/loofah/issues/167) (Thanks, [@​andreynering](https://github.com/andreynering)!) > > > ### Bug fixes > > * CSS hex values are no longer limited to lowercase hex. Previously uppercase hex were scrubbed. [#165](https://github-redirect.dependabot.com/flavorjones/loofah/issues/165) (Thanks, [@​asok](https://github.com/asok)!) > > > ### Deprecations / Name Changes > > The following method and constants are hereby deprecated, and will be completely removed in a future release: > > * Deprecate `Loofah::Helpers::ActionView.white_list_sanitizer`, please use `Loofah::Helpers::ActionView.safe_list_sanitizer` instead. > * Deprecate `Loofah::Helpers::ActionView::WhiteListSanitizer`, please use `Loofah::Helpers::ActionView::SafeListSanitizer` instead. > * Deprecate `Loofah::HTML5::WhiteList`, please use `Loofah::HTML5::SafeList` instead. > > Thanks to [@​JuanitoFatas](https://github.com/JuanitoFatas) for submitting these changes in [#164](https://github-redirect.dependabot.com/flavorjones/loofah/issues/164) and for making the language used in Loofah more inclusive. </details> <details> <summary>Commits</summary> - [`83df303`](flavorjones/loofah@83df303) version bump to v2.3.1 - [`e323a77`](flavorjones/loofah@e323a77) Merge pull request [#172](https://github-redirect.dependabot.com/flavorjones/loofah/issues/172) from flavorjones/171-xss-vulnerability - [`1d81f91`](flavorjones/loofah@1d81f91) update CHANGELOG - [`0c6617a`](flavorjones/loofah@0c6617a) mitigate XSS vulnerability in SVG animate attributes - [`a5bd819`](flavorjones/loofah@a5bd819) rufo formatting - [`1bdf276`](flavorjones/loofah@1bdf276) formatting in README - [`1908dc2`](flavorjones/loofah@1908dc2) update CHANGELOG with release date - [`bcbd7b3`](flavorjones/loofah@bcbd7b3) update dev gemspec - [`f6d4c2d`](flavorjones/loofah@f6d4c2d) version bump to v2.3.0 - [`08fee8c`](flavorjones/loofah@08fee8c) update dev deps - Additional commits viewable in [compare view](flavorjones/loofah@v2.2.3...v2.3.1) </details> <br /> [](https://help.github.com/articles/configuring-automated-security-fixes) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) Dependabot will merge this PR once CI passes on it, as requested by @jshoe. [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/chanzuckerberg/idseq-web/network/alerts). </details>
Merged
bcarreno
added a commit
to bcarreno/blog
that referenced
this issue
Nov 8, 2019
….3.1. <details> Upgrade loofah *Sourced from [loofah's releases](https://github.com/flavorjones/loofah/releases).* > ## 2.3.1 / 2019-10-22 > > ### Security > > Address CVE-2019-15587: Unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished. > > This CVE's public notice is at [flavorjones/loofah#171](https://github-redirect.dependabot.com/flavorjones/loofah/issues/171) >
senid231
added a commit
to senid231/yeti-web
that referenced
this issue
Dec 11, 2019
Name: loofah Version: 2.2.3 Advisory: CVE-2019-15587 Criticality: Unknown URL: flavorjones/loofah#171 Title: Loofah XSS Vulnerability Solution: upgrade to >= 2.3.1 Name: nokogiri Version: 1.10.4 Advisory: CVE-2019-13117 Criticality: Unknown URL: sparklemotion/nokogiri#1943 Title: Nokogiri gem, via libxslt, is affected by multiple vulnerabilities Solution: upgrade to >= 1.10.5 Name: puma Version: 3.12.1 Advisory: CVE-2019-16770 Criticality: High URL: GHSA-7xx3-m584-x994 Title: Keepalive thread overload/DoS in puma Solution: upgrade to ~> 3.12.2, >= 4.3.1
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
CVE-2019-15587 - Loofah XSS Vulnerability
This issue has been created for public disclosure of an XSS vulnerability that was responsibly reported by https://hackerone.com/vxhex
I'd like to thank HackerOne for providing a secure, responsible mechanism for reporting, and for providing their fantastic service to the Loofah maintainers.
Severity
Loofah maintainers have evaluated this as Medium (CVSS3 6.4).
Description
In the Loofah gem, through v2.3.0, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.
Affected Versions
Loofah <= v2.3.0
Mitigation
Upgrade to Loofah v2.3.1 or later.
References
History of this public disclosure
2019-10-09: disclosure created, all information is embargoed
2019-10-22: embargo ends, full information made available
2019-10-22: corrected "affected versions" to read
Loofah <= v2.3.0