Rubysec

Providing security resources for the Ruby community.
Follow us @rubysec or email us via info at rubysec.com

Advisory Archive

Back

---
gem: loofah
date: 2018-10-30
url: https://github.com/flavorjones/loofah/issues/154
cve: 2018-16468
title: Loofah XSS Vulnerability
description: |
  In the Loofah gem, through v2.2.2, unsanitized JavaScript may occur in
  sanitized output when a crafted SVG element is republished.
cvss_v3: '6.4'
patched_versions:
- ">=  2.2.3"
related:
  url: '["https://hackerone.com/reports/429267"]'