Closed
Description
CVE-2018-8048 - Loofah XSS Vulnerability
This issue has been created for public disclosure of an XSS / code injection vulnerability that was responsibly reported by the Shopify Application Security Team.
Severity
(this CVSS3 score is RedHat's assessment)
Description
Loofah allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments.
Affected Versions
Loofah < 2.2.1, but only:
- when running on YARV or Rubinius,
- in combination with libxml2 >= 2.9.2.
Please note: JRuby users are not affected.
Mitigation
Upgrade to Loofah 2.2.1.
References
- related CVE-2018-3740 in the
sanitizegem - related CVE-2018-3741 in the
rails-html-sanitizergem - relevant upstream libxml2 bug report
- relevant upstream libxml2 commit
History of this public disclosure
2018-03-19: Initial vulnerability report published
2018-03-21: CVSS 3.0 score lowered from 6.7 to 6.1 to match RedHat's evaluation
2018-03-22: Added "References" section linking to related CVEs and upstream bug report and commit
2018-03-23: Corrected "MRI" to "YARV"