Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 19 Mar 2018 17:08:14 -0400
From: Mike Dalessio <mike.dalessio@...il.com>
To: ruby-security-ann@...glegroups.com, rubyonrails-security@...glegroups.com, 
	oss-security@...ts.openwall.com, 
	nokogiri-talk <nokogiri-talk@...glegroups.com>
Subject: [CVE-2018-8048] Loofah XSS Vulnerability

Hello all,

A *medium* severity vulnerability has been identified and patched in
Loofah, which is a library used by `rails-html-sanitizer`. This issue has
been assigned CVE-2018-8048.

The public notice can be found here:

    https://github.com/flavorjones/loofah/issues/144

To save you a click, I've reproduced the contents of the initial
announcement here.

-----

*# CVE-2018-8048 - Loofah XSS Vulnerability*

This issue has been created for public disclosure of an XSS / code
injection vulnerability that was responsibly reported by the Shopify
Application Security Team.

*## Severity*

Medium (6.7)


*## Description*

Loofah allows non-whitelisted attributes to be present in sanitized output
when input with specially-crafted HTML fragments.


*## Affected Versions*

Loofah < 2.2.1, but only:

* when running on MRI or RBX,
* in combination with libxml2 >= 2.9.2.

Please note: JRuby users are not affected.


*## Mitigation*

Upgrade to Loofah 2.2.1.


*## History of this public disclosure*

2018-03-19: Initial vulnerability report published

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ