OSVDB-90945 (loofah): Loofah HTML and XSS injection vulnerability

Loofah HTML and XSS injection vulnerability

Published: September 08, 2012

SECURITY IDENTIFIERS

OSVDB: OSVDB-90945
Vendor Advisory: https://security.snyk.io/vuln/SNYK-RUBY-LOOFAH-20039

GEM

loofah

SEVERITY

CVSS v2.0: 5.0 (Medium)

PATCHED VERSIONS

>= 0.4.6

DESCRIPTION

Loofah Gem for Ruby contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the Loofah::HTML::Document#text function passes properly sanitized user-supplied input to the Loofah::XssFoliate and Loofah::Helpers#strip_tags functions which convert input back to text. This may allow an attacker to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

https://github.com/flavorjones/loofah/compare/v0.4.5...v0.4.6
https://security.snyk.io/vuln/SNYK-RUBY-LOOFAH-20039
https://www.versioneye.com/Ruby/loofah/0.4.2
https://www.mend.io/vulnerability-database/WS-2012-0023
http://www.osvdb.org/show/osvdb/90945

RubySec