Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 669970 (CVE-2018-16468) - <dev-ruby/loofah-2.2.3: unsanitized JavaScript may occur in sanitized output (CVE-2018-16468)
Summary: <dev-ruby/loofah-2.2.3: unsanitized JavaScript may occur in sanitized output ...
Status: RESOLVED FIXED
Alias: CVE-2018-16468
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://github.com/flavorjones/loofah...
Whiteboard: B4 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2018-10-30 15:57 UTC by Hans de Graaff
Modified: 2018-11-23 21:26 UTC (History)
1 user (show)

See Also:
Package list:
dev-ruby/loofah-2.2.3
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hans de Graaff gentoo-dev Security 2018-10-30 15:57:42 UTC
This issue has been created for public disclosure of an XSS vulnerability that was responsibly reported (independently) by [Shubham Pathak](https://hackerone.com/hackedbrain) and @yasinS (Yasin Soliman).

I'd like to thank [HackerOne](https://hackerone.com/loofah) for providing a secure, responsible mechanism for reporting, and for providing their fantastic service to the Loofah maintainers.


## Severity

Loofah maintainers have evaluated this as [Medium (CVSS3 6.4)](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L).


## Description

In the Loofah gem, through v2.2.2, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.


## Affected Versions

Loofah < v2.2.3.


## Mitigation

Upgrade to Loofah v2.2.3.


## References

* [HackerOne report](https://hackerone.com/reports/429267)
Comment 1 Hans de Graaff gentoo-dev Security 2018-10-30 15:58:12 UTC
dev-ruby/loofah-2.2.3 has been added.
Comment 2 Hans de Graaff gentoo-dev Security 2018-10-31 06:51:55 UTC
amd64 stable.
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2018-11-01 19:17:19 UTC
@ maintainer(s): please cleanup and drop vulnerable <dev-ruby/loofah-2.2.3 ebuild(s)!
Comment 4 Hans de Graaff gentoo-dev Security 2018-11-07 18:57:55 UTC
Vulnerable versions have been removed.