Search for packages
| purl | pkg:deb/debian/ruby-loofah@2.25.1-1?distro=trixie |
| Vulnerability | Summary | Fixed by |
|---|---|---|
| This package is not known to be affected by vulnerabilities. | ||
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-271j-gcn1-73c5 | Improper neutralization of data URIs may allow XSS in Loofah ## Summary Loofah `>= 2.1.0, < 2.19.1` is vulnerable to cross-site scripting via the `image/svg+xml` media type in data URIs. ## Mitigation Upgrade to Loofah `>= 2.19.1`. ## Severity The Loofah maintainers have evaluated this as [Medium Severity 6.1](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). ## References - [CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)](https://cwe.mitre.org/data/definitions/79.html) - [SVG MIME Type (image/svg+xml) is misleading to developers · Issue #266 · w3c/svgwg](https://github.com/w3c/svgwg/issues/266) - https://hackerone.com/reports/1694173 - https://github.com/flavorjones/loofah/issues/101 ## Credit This vulnerability was responsibly reported by Maciej Piechota (@haqpl). |
CVE-2022-23515
GHSA-228g-948r-83gx GMS-2022-8287 |
| VCID-6qdt-my8d-rkd5 | Uncontrolled Recursion in Loofah ## Summary Loofah `>= 2.2.0, < 2.19.1` uses recursion for sanitizing `CDATA` sections, making it susceptible to stack exhaustion and raising a `SystemStackError` exception. This may lead to a denial of service through CPU resource consumption. ## Mitigation Upgrade to Loofah `>= 2.19.1`. Users who are unable to upgrade may be able to mitigate this vulnerability by limiting the length of the strings that are sanitized. ## Severity The Loofah maintainers have evaluated this as [High Severity 7.5 (CVSS3.1)](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). ## References - [CWE - CWE-674: Uncontrolled Recursion (4.9)](https://cwe.mitre.org/data/definitions/674.html) |
CVE-2022-23516
GHSA-3x8r-x6xp-q4vm GMS-2022-8288 |
| VCID-ab24-w4sg-bbax | Loofah Allows Cross-site Scripting In the Loofah gem for Ruby through v2.3.0, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished. |
CVE-2019-15587
GHSA-c3gv-9cxf-6f57 |
| VCID-paw4-xkmu-w7eb | Cross-site Scripting In the Loofah gem for Ruby, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished. |
CVE-2018-16468
GHSA-g4xq-jx4w-4cjv |
| VCID-q52h-9tcw-zfab | Inefficient Regular Expression Complexity in Loofah ## Summary Loofah `< 2.19.1` contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption. ## Mitigation Upgrade to Loofah `>= 2.19.1`. ## Severity The Loofah maintainers have evaluated this as [High Severity 7.5 (CVSS3.1)](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). ## References - [CWE - CWE-1333: Inefficient Regular Expression Complexity (4.9)](https://cwe.mitre.org/data/definitions/1333.html) - https://hackerone.com/reports/1684163 ## Credit This vulnerability was responsibly reported by @ooooooo-q (https://github.com/ooooooo-q). |
CVE-2022-23514
GHSA-486f-hjj9-9vhh GMS-2022-8289 |
| VCID-sqa5-8yrd-qyfz | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') In the Loofah gem for Ruby, denylisted HTML attributes may occur in sanitized output by republishing a crafted HTML fragment. |
CVE-2018-8048
GHSA-x7rv-cr6v-4vm4 |