RubySec

Providing security resources for the Ruby community

OSVDB-90945 (loofah): Loofah HTML and XSS injection vulnerability

ADVISORIES

  • OSVDB-90945

GEM

loofah

SEVERITY

CVSS v2: 5.0

PATCHED VERSIONS

  • >= 0.4.6

DESCRIPTION

Loofah Gem for Ruby contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the Loofah::HTML::Document#text function passes properly sanitized user-supplied input to the Loofah::XssFoliate and Loofah::Helpers#strip_tags functions which convert input back to text. This may allow an attacker to create a specially crafted request that would execute arbitrary script code in a user’s browser within the trust relationship between their browser and the server.