Date: Mon, 19 Mar 2018 17:08:14 -0400 From: Mike Dalessio <mike.dalessio@...il.com> To: ruby-security-ann@...glegroups.com, rubyonrails-security@...glegroups.com, oss-security@...ts.openwall.com, nokogiri-talk <nokogiri-talk@...glegroups.com> Subject: [CVE-2018-8048] Loofah XSS Vulnerability Hello all, A *medium* severity vulnerability has been identified and patched in Loofah, which is a library used by `rails-html-sanitizer`. This issue has been assigned CVE-2018-8048. The public notice can be found here: https://github.com/flavorjones/loofah/issues/144 To save you a click, I've reproduced the contents of the initial announcement here. ----- *# CVE-2018-8048 - Loofah XSS Vulnerability* This issue has been created for public disclosure of an XSS / code injection vulnerability that was responsibly reported by the Shopify Application Security Team. *## Severity* Medium (6.7) *## Description* Loofah allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments. *## Affected Versions* Loofah < 2.2.1, but only: * when running on MRI or RBX, * in combination with libxml2 >= 2.9.2. Please note: JRuby users are not affected. *## Mitigation* Upgrade to Loofah 2.2.1. *## History of this public disclosure* 2018-03-19: Initial vulnerability report published
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ