This issue has been created for public disclosure of an XSS vulnerability that was responsibly reported (independently) by [Shubham Pathak](https://hackerone.com/hackedbrain) and @yasinS (Yasin Soliman). I'd like to thank [HackerOne](https://hackerone.com/loofah) for providing a secure, responsible mechanism for reporting, and for providing their fantastic service to the Loofah maintainers. ## Severity Loofah maintainers have evaluated this as [Medium (CVSS3 6.4)](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L). ## Description In the Loofah gem, through v2.2.2, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished. ## Affected Versions Loofah < v2.2.3. ## Mitigation Upgrade to Loofah v2.2.3. ## References * [HackerOne report](https://hackerone.com/reports/429267)
dev-ruby/loofah-2.2.3 has been added.
amd64 stable.
@ maintainer(s): please cleanup and drop vulnerable <dev-ruby/loofah-2.2.3 ebuild(s)!
Vulnerable versions have been removed.