Loofah Cross-site Scripting vulnerability · CVE-2018-16468 · GitHub Advisory Database · GitHub

Loofah Cross-site Scripting vulnerability

Moderate severity GitHub Reviewed Published Nov 1, 2018 to the GitHub Advisory Database • Updated Jan 23, 2023

Package

loofah (RubyGems)

Affected versions

< 2.2.3

Patched versions

2.2.3

Description

In the Loofah gem for Ruby, through version 2.2.2, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished. Users are advised to upgrade to version 2.2.3.

See flavorjones/loofah#154 for more details.

References

Published to the GitHub Advisory Database Nov 1, 2018

Reviewed Jun 16, 2020

Last updated Jan 23, 2023

Severity

Moderate

/ 10

CVSS v3 base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

Low

User interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N