Mike Dalessio
2018-10-30 13:14:52 UTC
Hello all,
A *medium* severity vulnerability has been identified and patched in Loofah
v2.2.3, which is a dependency of `rails-html-sanitizer`. This issue has
been assigned CVE-2018-16468.
The public notice can be found here:
https://github.com/flavorjones/loofah/issues/154
To save you a click, I've reproduced the contents of the announcement here.
-----
*# CVE-2018-16468 - Loofah XSS Vulnerability*
This issue has been created for public disclosure of an XSS vulnerability
that was responsibly reported (independently) by [Shubham Pathak](
https://hackerone.com/hackedbrain) and @yasinS (Yasin Soliman).
I'd like to thank [HackerOne](https://hackerone.com/loofah) for providing a
secure, responsible mechanism for reporting, and for providing their
fantastic service to the Loofah maintainers.
*## Severity*
Loofah maintainers have evaluated this as [Medium (CVSS3 6.4)](
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L
).
*## Description*
In the Loofah gem, through v2.2.2, unsanitized JavaScript may occur in
sanitized output when a crafted SVG element is republished.
*## Affected Versions*
Loofah < v2.2.3.
*## Mitigation*
Upgrade to Loofah v2.2.3.
*## References*
* [HackerOne report](https://hackerone.com/reports/429267)
*## History of this public disclosure*
2018-10-27: disclosure created, all information is embargoed
2018-10-30: embargo ends, full information made available
A *medium* severity vulnerability has been identified and patched in Loofah
v2.2.3, which is a dependency of `rails-html-sanitizer`. This issue has
been assigned CVE-2018-16468.
The public notice can be found here:
https://github.com/flavorjones/loofah/issues/154
To save you a click, I've reproduced the contents of the announcement here.
-----
*# CVE-2018-16468 - Loofah XSS Vulnerability*
This issue has been created for public disclosure of an XSS vulnerability
that was responsibly reported (independently) by [Shubham Pathak](
https://hackerone.com/hackedbrain) and @yasinS (Yasin Soliman).
I'd like to thank [HackerOne](https://hackerone.com/loofah) for providing a
secure, responsible mechanism for reporting, and for providing their
fantastic service to the Loofah maintainers.
*## Severity*
Loofah maintainers have evaluated this as [Medium (CVSS3 6.4)](
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L
).
*## Description*
In the Loofah gem, through v2.2.2, unsanitized JavaScript may occur in
sanitized output when a crafted SVG element is republished.
*## Affected Versions*
Loofah < v2.2.3.
*## Mitigation*
Upgrade to Loofah v2.2.3.
*## References*
* [HackerOne report](https://hackerone.com/reports/429267)
*## History of this public disclosure*
2018-10-27: disclosure created, all information is embargoed
2018-10-30: embargo ends, full information made available