Lookup for vulnerable packages by Package URL.
| Purl | pkg:gem/loofah@2.25.1 |
|---|
| Type | gem |
|---|
| Namespace | |
|---|
| Name | loofah |
|---|
| Version | 2.25.1 |
|---|
| Qualifiers |
|
|---|
| Subpath | |
|---|
| Is_vulnerable | true |
|---|
| Next_non_vulnerable_version | null |
|---|
| Latest_non_vulnerable_version | null |
|---|
| Affected_by_vulnerabilities |
| 0 |
| url |
VCID-amsh-qpt1-9qb7 |
| vulnerability_id |
VCID-amsh-qpt1-9qb7 |
| summary |
Improper detection of disallowed URIs by Loofah `allowed_uri?`
## Summary
`Loofah::HTML5::Scrub.allowed_uri?` does not correctly reject `javascript:` URIs when the scheme is split by HTML entity-encoded control characters such as ` ` (carriage return), ` ` (line feed), or `	` (tab).
## Details
The `allowed_uri?` method strips literal control characters before decoding HTML entities. Payloads like `java script:alert(1)` survive the control character strip, then ` ` is decoded to a carriage return, producing `java\rscript:alert(1)`.
Note that the Loofah sanitizer's default `sanitize()` path is **not affected** because Nokogiri decodes HTML entities during parsing before Loofah evaluates the URI protocol. This issue only affects direct callers of the `allowed_uri?` string-level helper when passing HTML-encoded strings.
## Impact
Applications that call `Loofah::HTML5::Scrub.allowed_uri?` to validate user-controlled URLs and then render approved URLs into `href` or other browser-interpreted URI attributes may be vulnerable to cross-site scripting (XSS).
This only affects Loofah `2.25.0`.
## Mitigation
Upgrade to Loofah >= `2.25.1`.
## Credit
Responsibly reported by HackOne user `@smlee`. |
| references |
|
| fixed_packages |
|
| aliases |
GHSA-46fp-8f5p-pf2m
|
| risk_score |
1.4 |
| exploitability |
0.5 |
| weighted_severity |
2.7 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-amsh-qpt1-9qb7 |
|
|
|---|
| Fixing_vulnerabilities |
| 0 |
| url |
VCID-amsh-qpt1-9qb7 |
| vulnerability_id |
VCID-amsh-qpt1-9qb7 |
| summary |
Improper detection of disallowed URIs by Loofah `allowed_uri?`
## Summary
`Loofah::HTML5::Scrub.allowed_uri?` does not correctly reject `javascript:` URIs when the scheme is split by HTML entity-encoded control characters such as ` ` (carriage return), ` ` (line feed), or `	` (tab).
## Details
The `allowed_uri?` method strips literal control characters before decoding HTML entities. Payloads like `java script:alert(1)` survive the control character strip, then ` ` is decoded to a carriage return, producing `java\rscript:alert(1)`.
Note that the Loofah sanitizer's default `sanitize()` path is **not affected** because Nokogiri decodes HTML entities during parsing before Loofah evaluates the URI protocol. This issue only affects direct callers of the `allowed_uri?` string-level helper when passing HTML-encoded strings.
## Impact
Applications that call `Loofah::HTML5::Scrub.allowed_uri?` to validate user-controlled URLs and then render approved URLs into `href` or other browser-interpreted URI attributes may be vulnerable to cross-site scripting (XSS).
This only affects Loofah `2.25.0`.
## Mitigation
Upgrade to Loofah >= `2.25.1`.
## Credit
Responsibly reported by HackOne user `@smlee`. |
| references |
|
| fixed_packages |
|
| aliases |
GHSA-46fp-8f5p-pf2m
|
| risk_score |
1.4 |
| exploitability |
0.5 |
| weighted_severity |
2.7 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-amsh-qpt1-9qb7 |
|
| 1 |
| url |
VCID-qz71-ek2u-8ybh |
| vulnerability_id |
VCID-qz71-ek2u-8ybh |
| summary |
Loofah has improper detection of disallowed URIs via `allowed_uri?`
## Summary
`Loofah::HTML5::Scrub.allowed_uri?` does not correctly reject `javascript:` URIs when the scheme is split by HTML entity-encoded control characters such as ` ` (carriage return), ` ` (line feed), or `	` (tab).
## Details
The `allowed_uri?` method strips literal control characters before decoding HTML entities. Payloads like `java script:alert(1)` survive the control character strip, then ` ` is decoded to a carriage return, producing `java\rscript:alert(1)`.
Note that the Loofah sanitizer's default `sanitize()` path is **not affected** because Nokogiri decodes HTML entities during parsing before Loofah evaluates the URI protocol. This issue only affects direct callers of the `allowed_uri?` string-level helper when passing HTML-encoded strings.
## Impact
Applications that call `Loofah::HTML5::Scrub.allowed_uri?` to validate user-controlled URLs and then render approved URLs into `href` or other browser-interpreted URI attributes may be vulnerable to cross-site scripting (XSS).
This only affects Loofah `2.25.0`.
## Mitigation
Upgrade to Loofah >= `2.25.1`.
## Credit
Responsibly reported by HackOne user @smlee. |
| references |
|
| fixed_packages |
|
| aliases |
GHSA-2j22-pr5w-6gq8
|
| risk_score |
1.4 |
| exploitability |
0.5 |
| weighted_severity |
2.7 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-qz71-ek2u-8ybh |
|
|
|---|
| Risk_score | 1.4 |
|---|
| Resource_url | http://public2.vulnerablecode.io/packages/pkg:gem/loofah@2.25.1 |
|---|