ADVISORIES

• OSVDB-90945
• Vendor Advisory

GEM

loofah

SEVERITY

CVSS v2.0: 5.0 (Medium)

PATCHED VERSIONS

• >= 0.4.6

DESCRIPTION

Loofah Gem for Ruby contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the Loofah::HTML::Document#text function passes properly sanitized user-supplied input to the Loofah::XssFoliate and Loofah::Helpers#strip_tags functions which convert input back to text. This may allow an attacker to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

RELATED

• https://github.com/flavorjones/loofah/compare/v0.4.5...v0.4.6
• https://security.snyk.io/vuln/SNYK-RUBY-LOOFAH-20039
• https://www.versioneye.com/Ruby/loofah/0.4.2
• https://www.mend.io/vulnerability-database/WS-2012-0023
• http://www.osvdb.org/show/osvdb/90945