Search for packages
| purl | pkg:gem/loofah@1.1.0 |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 4.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-ab24-w4sg-bbax
Aliases: CVE-2019-15587 GHSA-c3gv-9cxf-6f57 |
Loofah Allows Cross-site Scripting In the Loofah gem for Ruby through v2.3.0, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished. |
Affected by 4 other vulnerabilities. |
|
VCID-amsh-qpt1-9qb7
Aliases: GHSA-46fp-8f5p-pf2m |
Improper detection of disallowed URIs by Loofah `allowed_uri?` ## Summary `Loofah::HTML5::Scrub.allowed_uri?` does not correctly reject `javascript:` URIs when the scheme is split by HTML entity-encoded control characters such as ` ` (carriage return), ` ` (line feed), or `	` (tab). ## Details The `allowed_uri?` method strips literal control characters before decoding HTML entities. Payloads like `java script:alert(1)` survive the control character strip, then ` ` is decoded to a carriage return, producing `java\rscript:alert(1)`. Note that the Loofah sanitizer's default `sanitize()` path is **not affected** because Nokogiri decodes HTML entities during parsing before Loofah evaluates the URI protocol. This issue only affects direct callers of the `allowed_uri?` string-level helper when passing HTML-encoded strings. ## Impact Applications that call `Loofah::HTML5::Scrub.allowed_uri?` to validate user-controlled URLs and then render approved URLs into `href` or other browser-interpreted URI attributes may be vulnerable to cross-site scripting (XSS). This only affects Loofah `2.25.0`. ## Mitigation Upgrade to Loofah >= `2.25.1`. ## Credit Responsibly reported by HackOne user `@smlee`. |
Affected by 1 other vulnerability. |
|
VCID-paw4-xkmu-w7eb
Aliases: CVE-2018-16468 GHSA-g4xq-jx4w-4cjv |
Cross-site Scripting In the Loofah gem for Ruby, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished. |
Affected by 5 other vulnerabilities. |
|
VCID-q52h-9tcw-zfab
Aliases: CVE-2022-23514 GHSA-486f-hjj9-9vhh GMS-2022-8289 |
Inefficient Regular Expression Complexity in Loofah ## Summary Loofah `< 2.19.1` contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption. ## Mitigation Upgrade to Loofah `>= 2.19.1`. ## Severity The Loofah maintainers have evaluated this as [High Severity 7.5 (CVSS3.1)](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). ## References - [CWE - CWE-1333: Inefficient Regular Expression Complexity (4.9)](https://cwe.mitre.org/data/definitions/1333.html) - https://hackerone.com/reports/1684163 ## Credit This vulnerability was responsibly reported by @ooooooo-q (https://github.com/ooooooo-q). |
Affected by 1 other vulnerability. |
|
VCID-sqa5-8yrd-qyfz
Aliases: CVE-2018-8048 GHSA-x7rv-cr6v-4vm4 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') In the Loofah gem for Ruby, denylisted HTML attributes may occur in sanitized output by republishing a crafted HTML fragment. |
Affected by 6 other vulnerabilities. |
|
VCID-wxfr-bs81-augc
Aliases: CVE-2022-23518 GHSA-mcvf-2q2m-x72m GMS-2022-8300 |
Improper neutralization of data URIs may allow XSS in rails-html-sanitizer ## Summary rails-html-sanitizer `>= 1.0.3, < 1.4.4` is vulnerable to cross-site scripting via data URIs when used in combination with Loofah `>= 2.1.0`. ## Mitigation Upgrade to rails-html-sanitizer `>= 1.4.4`. ## Severity The maintainers have evaluated this as [Medium Severity 6.1](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). ## References - [CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)](https://cwe.mitre.org/data/definitions/79.html) - [SVG MIME Type (image/svg+xml) is misleading to developers · Issue #266 · w3c/svgwg](https://github.com/w3c/svgwg/issues/266) - https://github.com/rails/rails-html-sanitizer/issues/135 - https://hackerone.com/reports/1694173 ## Credit This vulnerability was independently reported by Maciej Piechota (@haqpl) and Mrinmoy Das (@goromlagche). |
Affected by 6 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||