Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 19 Mar 2018 17:08:14 -0400
From: Mike Dalessio <>
	nokogiri-talk <>
Subject: [CVE-2018-8048] Loofah XSS Vulnerability

Hello all,

A *medium* severity vulnerability has been identified and patched in
Loofah, which is a library used by `rails-html-sanitizer`. This issue has
been assigned CVE-2018-8048.

The public notice can be found here:

To save you a click, I've reproduced the contents of the initial
announcement here.


*# CVE-2018-8048 - Loofah XSS Vulnerability*

This issue has been created for public disclosure of an XSS / code
injection vulnerability that was responsibly reported by the Shopify
Application Security Team.

*## Severity*

Medium (6.7)

*## Description*

Loofah allows non-whitelisted attributes to be present in sanitized output
when input with specially-crafted HTML fragments.

*## Affected Versions*

Loofah < 2.2.1, but only:

* when running on MRI or RBX,
* in combination with libxml2 >= 2.9.2.

Please note: JRuby users are not affected.

*## Mitigation*

Upgrade to Loofah 2.2.1.

*## History of this public disclosure*

2018-03-19: Initial vulnerability report published

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ