Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:gem/loofah@0.3.1

Type gem

Namespace

Name loofah

Version 0.3.1

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version null

Latest_non_vulnerable_version null

Affected_by_vulnerabilities

url VCID-1hd6-2xsv-hyf1

vulnerability_id VCID-1hd6-2xsv-hyf1

summary

Loofah Allows Cross-site Scripting
In the Loofah gem for Ruby through v2.3.0, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-15587.json

reference_id

reference_type

scores

value	4.6
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-15587.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2019-15587

reference_id

reference_type

scores

value	0.02332
scoring_system	epss
scoring_elements	0.85097
published_at	2026-05-29T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2019-15587

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15587
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15587

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	6.3
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/flavorjones/loofah

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/flavorjones/loofah

reference_url

https://github.com/flavorjones/loofah/commit/0c6617af440879ce97440f6eb6c58636456dc8ec

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/flavorjones/loofah/commit/0c6617af440879ce97440f6eb6c58636456dc8ec

reference_url

https://github.com/flavorjones/loofah/issues/171

reference_id

reference_type

scores

value	6.4
scoring_system	cvssv3
scoring_elements

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/flavorjones/loofah/issues/171

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/loofah/CVE-2019-15587.yml

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/loofah/CVE-2019-15587.yml

reference_url

https://hackerone.com/reports/709009

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://hackerone.com/reports/709009

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4WK2UG7ORKRQOJ6E4XJ2NVIHYJES6BYZ

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4WK2UG7ORKRQOJ6E4XJ2NVIHYJES6BYZ

reference_url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4WK2UG7ORKRQOJ6E4XJ2NVIHYJES6BYZ/
reference_id
reference_type
scores
url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4WK2UG7ORKRQOJ6E4XJ2NVIHYJES6BYZ/

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XMCWPLYPNIWYAY443IZZJ4IHBBLIHBP5

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XMCWPLYPNIWYAY443IZZJ4IHBBLIHBP5

reference_url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XMCWPLYPNIWYAY443IZZJ4IHBBLIHBP5/
reference_id
reference_type
scores
url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XMCWPLYPNIWYAY443IZZJ4IHBBLIHBP5/

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2019-15587

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2019-15587

reference_url

https://security.netapp.com/advisory/ntap-20191122-0003

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20191122-0003

reference_url	https://security.netapp.com/advisory/ntap-20191122-0003/
reference_id
reference_type
scores
url	https://security.netapp.com/advisory/ntap-20191122-0003/

reference_url

https://usn.ubuntu.com/4498-1

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://usn.ubuntu.com/4498-1

reference_url	https://usn.ubuntu.com/4498-1/
reference_id
reference_type
scores
url	https://usn.ubuntu.com/4498-1/

reference_url

https://www.debian.org/security/2019/dsa-4554

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://www.debian.org/security/2019/dsa-4554

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1774081
reference_id	1774081
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1774081

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942894
reference_id	942894
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942894

reference_url

https://github.com/advisories/GHSA-c3gv-9cxf-6f57

reference_id

GHSA-c3gv-9cxf-6f57

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-c3gv-9cxf-6f57

fixed_packages

url pkg:gem/loofah@2.3.1

purl pkg:gem/loofah@2.3.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-43f2-px63-uyc1

vulnerability	VCID-9qhs-whsb-ffhz

vulnerability	VCID-t7w7-qwjj-cuew

vulnerability	VCID-vqc1-xzgb-33et

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/loofah@2.3.1

aliases CVE-2019-15587, GHSA-c3gv-9cxf-6f57

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-1hd6-2xsv-hyf1

url VCID-43f2-px63-uyc1

vulnerability_id VCID-43f2-px63-uyc1

summary rubygem-loofah: inefficient regular expression leading to denial of service

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-23514.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-23514.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2022-23514

reference_id

reference_type

scores

value	0.00271
scoring_system	epss
scoring_elements	0.50735
published_at	2026-05-29T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2022-23514

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23514
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23514

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/flavorjones/loofah

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/flavorjones/loofah

reference_url

https://github.com/flavorjones/loofah/commit/a6e0a1ab90675a17b1b2be189129d94139e4b143

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/flavorjones/loofah/commit/a6e0a1ab90675a17b1b2be189129d94139e4b143

reference_url

https://github.com/flavorjones/loofah/security/advisories/GHSA-486f-hjj9-9vhh

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-21T14:49:18Z/

url

https://github.com/flavorjones/loofah/security/advisories/GHSA-486f-hjj9-9vhh

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/loofah/CVE-2022-23514.yml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/loofah/CVE-2022-23514.yml

reference_url

https://hackerone.com/reports/1684163

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-21T14:49:18Z/

url

https://hackerone.com/reports/1684163

reference_url

https://lists.debian.org/debian-lts-announce/2023/09/msg00011.html

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-21T14:49:18Z/

url

https://lists.debian.org/debian-lts-announce/2023/09/msg00011.html

reference_url

https://lists.debian.org/debian-lts-announce/2024/09/msg00044.html

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.debian.org/debian-lts-announce/2024/09/msg00044.html

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2022-23514

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2022-23514

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1026083
reference_id	1026083
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1026083

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2153234
reference_id	2153234
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2153234

reference_url	https://github.com/advisories/GHSA-486f-hjj9-9vhh
reference_id	GHSA-486f-hjj9-9vhh
reference_type
scores
url	https://github.com/advisories/GHSA-486f-hjj9-9vhh

reference_url	https://access.redhat.com/errata/RHSA-2023:2097
reference_id	RHSA-2023:2097
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:2097

fixed_packages

url pkg:gem/loofah@2.19.1

purl pkg:gem/loofah@2.19.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-vqc1-xzgb-33et

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/loofah@2.19.1

aliases CVE-2022-23514, GHSA-486f-hjj9-9vhh

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-43f2-px63-uyc1

url VCID-dq2k-d8rd-1kgu

vulnerability_id VCID-dq2k-d8rd-1kgu

summary

Cross-site Scripting in loofah
Loofah allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments.

Users are affected if running Loofah < 2.2.1, but only:

* when running on MRI or RBX,
* in combination with libxml2 >= 2.9.2.

JRuby users are not affected.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-8048.json

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-8048.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2018-8048

reference_id

reference_type

scores

value	0.00689
scoring_system	epss
scoring_elements	0.72092
published_at	2026-05-29T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2018-8048

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8048
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8048

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/advisories/GHSA-x7rv-cr6v-4vm4

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/advisories/GHSA-x7rv-cr6v-4vm4

reference_url

https://github.com/flavorjones/loofah

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/flavorjones/loofah

reference_url

https://github.com/flavorjones/loofah/commit/f739cf8eac5851f328b8044281d6653f74eff116

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/flavorjones/loofah/commit/f739cf8eac5851f328b8044281d6653f74eff116

reference_url

https://github.com/flavorjones/loofah/issues/144

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3
scoring_elements

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/flavorjones/loofah/issues/144

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/loofah/CVE-2018-8048.yml

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/loofah/CVE-2018-8048.yml

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2018-8048.yml

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2018-8048.yml

reference_url

https://github.com/sparklemotion/nokogiri/pull/1746

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3
scoring_elements

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/sparklemotion/nokogiri/pull/1746

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2018-8048

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2018-8048

reference_url

https://security.netapp.com/advisory/ntap-20191122-0003

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20191122-0003

reference_url	https://security.netapp.com/advisory/ntap-20191122-0003/
reference_id
reference_type
scores
url	https://security.netapp.com/advisory/ntap-20191122-0003/

reference_url

https://www.debian.org/security/2018/dsa-4171

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://www.debian.org/security/2018/dsa-4171

reference_url

http://www.openwall.com/lists/oss-security/2018/03/19/5

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://www.openwall.com/lists/oss-security/2018/03/19/5

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1559071
reference_id	1559071
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1559071

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=893596
reference_id	893596
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=893596

fixed_packages

url pkg:gem/loofah@2.2.1

purl pkg:gem/loofah@2.2.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1hd6-2xsv-hyf1

vulnerability	VCID-43f2-px63-uyc1

vulnerability	VCID-9qhs-whsb-ffhz

vulnerability	VCID-nx5y-skpv-pqbf

vulnerability	VCID-t7w7-qwjj-cuew

vulnerability	VCID-vqc1-xzgb-33et

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/loofah@2.2.1

aliases CVE-2018-8048, GHSA-x7rv-cr6v-4vm4

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-dq2k-d8rd-1kgu

url VCID-nx5y-skpv-pqbf

vulnerability_id VCID-nx5y-skpv-pqbf

summary

Loofah Cross-site Scripting vulnerability
In the Loofah gem for Ruby, through version 2.2.2, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished. Users are advised to upgrade to version 2.2.3.

See https://github.com/flavorjones/loofah/issues/154 for more details.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-16468.json

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-16468.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2018-16468

reference_id

reference_type

scores

value	0.00314
scoring_system	epss
scoring_elements	0.54793
published_at	2026-05-29T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2018-16468

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16468
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16468

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	6.4
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/flavorjones/loofah

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/flavorjones/loofah

reference_url

https://github.com/flavorjones/loofah/issues/154

reference_id

reference_type

scores

value	6.4
scoring_system	cvssv3
scoring_elements

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/flavorjones/loofah/issues/154

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2018-16468

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2018-16468

reference_url

https://www.debian.org/security/2019/dsa-4364

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://www.debian.org/security/2019/dsa-4364

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1646715
reference_id	1646715
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1646715

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=912398
reference_id	912398
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=912398

reference_url

https://github.com/advisories/GHSA-g4xq-jx4w-4cjv

reference_id

GHSA-g4xq-jx4w-4cjv

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-g4xq-jx4w-4cjv

fixed_packages

url pkg:gem/loofah@2.2.3

purl pkg:gem/loofah@2.2.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1hd6-2xsv-hyf1

vulnerability	VCID-43f2-px63-uyc1

vulnerability	VCID-9qhs-whsb-ffhz

vulnerability	VCID-t7w7-qwjj-cuew

vulnerability	VCID-vqc1-xzgb-33et

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/loofah@2.2.3

aliases CVE-2018-16468, GHSA-g4xq-jx4w-4cjv

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-nx5y-skpv-pqbf

url VCID-p9fc-5xgx-23fn

vulnerability_id VCID-p9fc-5xgx-23fn

summary rubygem-rails-html-sanitizer: Improper neutralization of data URIs leading to Cross site scripting

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-23518.json

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-23518.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2022-23518

reference_id

reference_type

scores

value	0.00312
scoring_system	epss
scoring_elements	0.54605
published_at	2026-05-29T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2022-23518

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23518
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23518

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	7.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/rails/rails-html-sanitizer

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails-html-sanitizer

reference_url

https://github.com/rails/rails-html-sanitizer/issues/135

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails-html-sanitizer/issues/135

reference_url

https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-mcvf-2q2m-x72m

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3
scoring_elements

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-mcvf-2q2m-x72m

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2022-23518.yml

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2022-23518.yml

reference_url

https://github.com/w3c/svgwg/issues/266

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/w3c/svgwg/issues/266

reference_url

https://hackerone.com/reports/1694173

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://hackerone.com/reports/1694173

reference_url

https://lists.debian.org/debian-lts-announce/2023/09/msg00012.html

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.debian.org/debian-lts-announce/2023/09/msg00012.html

reference_url

https://lists.debian.org/debian-lts-announce/2024/09/msg00045.html

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.debian.org/debian-lts-announce/2024/09/msg00045.html

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2022-23518

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2022-23518

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1027153
reference_id	1027153
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1027153

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2153701
reference_id	2153701
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2153701

reference_url	https://github.com/advisories/GHSA-mcvf-2q2m-x72m
reference_id	GHSA-mcvf-2q2m-x72m
reference_type
scores
url	https://github.com/advisories/GHSA-mcvf-2q2m-x72m

reference_url	https://access.redhat.com/errata/RHSA-2023:2097
reference_id	RHSA-2023:2097
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:2097

fixed_packages

url pkg:gem/loofah@2.1.1

purl pkg:gem/loofah@2.1.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1hd6-2xsv-hyf1

vulnerability	VCID-43f2-px63-uyc1

vulnerability	VCID-9qhs-whsb-ffhz

vulnerability	VCID-dq2k-d8rd-1kgu

vulnerability	VCID-nx5y-skpv-pqbf

vulnerability	VCID-vqc1-xzgb-33et

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/loofah@2.1.1

aliases CVE-2022-23518, GHSA-mcvf-2q2m-x72m

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-p9fc-5xgx-23fn

url VCID-vqc1-xzgb-33et

vulnerability_id VCID-vqc1-xzgb-33et

summary

Improper detection of disallowed URIs by Loofah `allowed_uri?`
## Summary

`Loofah::HTML5::Scrub.allowed_uri?` does not correctly reject `javascript:` URIs when the scheme is split by HTML entity-encoded control characters such as `&#13;` (carriage return), `&#10;` (line feed), or `&#9;` (tab).

## Details

The `allowed_uri?` method strips literal control characters before decoding HTML entities. Payloads like `java&#13;script:alert(1)` survive the control character strip, then `&#13;` is decoded to a carriage return, producing `java\rscript:alert(1)`.

Note that the Loofah sanitizer's default `sanitize()` path is **not affected** because Nokogiri decodes HTML entities during parsing before Loofah evaluates the URI protocol. This issue only affects direct callers of the `allowed_uri?` string-level helper when passing HTML-encoded strings.

## Impact

Applications that call `Loofah::HTML5::Scrub.allowed_uri?` to validate user-controlled URLs and then render approved URLs into `href` or other browser-interpreted URI attributes may be vulnerable to cross-site scripting (XSS).

This only affects Loofah `2.25.0`.

## Mitigation

Upgrade to Loofah >= `2.25.1`.

## Credit

Responsibly reported by HackOne user `@smlee`.

references

reference_url

https://github.com/flavorjones/loofah

reference_id

reference_type

scores

value	2.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/flavorjones/loofah

reference_url

https://github.com/flavorjones/loofah/security/advisories/GHSA-46fp-8f5p-pf2m

reference_id

reference_type

scores

value	2.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/flavorjones/loofah/security/advisories/GHSA-46fp-8f5p-pf2m

reference_url	https://github.com/advisories/GHSA-46fp-8f5p-pf2m
reference_id	GHSA-46fp-8f5p-pf2m
reference_type
scores
url	https://github.com/advisories/GHSA-46fp-8f5p-pf2m

fixed_packages

url pkg:gem/loofah@2.25.1

purl pkg:gem/loofah@2.25.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-vqc1-xzgb-33et

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/loofah@2.25.1

aliases GHSA-46fp-8f5p-pf2m

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vqc1-xzgb-33et

Fixing_vulnerabilities

Risk_score null

Resource_url http://public2.vulnerablecode.io/packages/pkg:gem/loofah@0.3.1

Package Instance