Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 698260 (CVE-2019-15587) - <dev-ruby/loofah-2.3.1 XXS when a crafted SVG element is republished (CVE-2019-15587)
Summary: <dev-ruby/loofah-2.3.1 XXS when a crafted SVG element is republished (CVE-201...
Alias: CVE-2019-15587
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
Whiteboard: B4 [noglsa cleanup]
Depends on:
Reported: 2019-10-22 13:25 UTC by Hans de Graaff
Modified: 2020-03-17 14:28 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---
stable-bot: sanity-check+


Note You need to log in before you can comment on or make changes to this bug.
Description Hans de Graaff gentoo-dev 2019-10-22 13:25:23 UTC
This issue has been created for public disclosure of an XSS vulnerability that was responsibly reported by

I'd like to thank HackerOne for providing a secure, responsible mechanism for reporting, and for providing their fantastic service to the Loofah maintainers.

Loofah maintainers have evaluated this as Medium (CVSS3 6.4).

In the Loofah gem, through v2.3.0, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.

Affected Versions

Loofah <= v2.3.0


Upgrade to Loofah v2.3.1 or later.
Comment 1 Hans de Graaff gentoo-dev 2019-10-22 13:25:44 UTC
dev-ruby/loofah 2.3.1 has been added.
Comment 2 Agostino Sarubbo gentoo-dev 2019-10-28 07:42:21 UTC
amd64 stable.

Maintainer(s), please cleanup.
Comment 3 Hans de Graaff gentoo-dev 2019-11-11 19:19:52 UTC
Cleanup done.
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-17 14:28:44 UTC
GLSA Vote: No!

Repository is clean, all done.