Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 698260 (CVE-2019-15587) - <dev-ruby/loofah-2.3.1 XXS when a crafted SVG element is republished (CVE-2019-15587)
Summary: <dev-ruby/loofah-2.3.1 XXS when a crafted SVG element is republished (CVE-201...
Status: RESOLVED FIXED
Alias: CVE-2019-15587
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://github.com/flavorjones/loofah...
Whiteboard: B4 [noglsa cleanup]
Keywords:
Depends on:
Blocks:
 
Reported: 2019-10-22 13:25 UTC by Hans de Graaff
Modified: 2020-03-17 14:28 UTC (History)
1 user (show)

See Also:
Package list:
dev-ruby/loofah-2.3.1
Runtime testing required: ---
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Hans de Graaff gentoo-dev Security 2019-10-22 13:25:23 UTC 
This issue has been created for public disclosure of an XSS vulnerability that was responsibly reported by https://hackerone.com/vxhex

I'd like to thank HackerOne for providing a secure, responsible mechanism for reporting, and for providing their fantastic service to the Loofah maintainers.
Severity

Loofah maintainers have evaluated this as Medium (CVSS3 6.4).
Description

In the Loofah gem, through v2.3.0, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.

Affected Versions

Loofah <= v2.3.0

Mitigation

Upgrade to Loofah v2.3.1 or later.
Comment 1 Hans de Graaff gentoo-dev Security 2019-10-22 13:25:44 UTC 
dev-ruby/loofah 2.3.1 has been added.
Comment 2 Agostino Sarubbo gentoo-dev 2019-10-28 07:42:21 UTC 
amd64 stable.

Maintainer(s), please cleanup.
Comment 3 Hans de Graaff gentoo-dev Security 2019-11-11 19:19:52 UTC 
Cleanup done.
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-17 14:28:44 UTC 
GLSA Vote: No!

Repository is clean, all done.