GHSA-x7rv-cr6v-4vm4
Suggest an improvement- Source
- https://github.com/advisories/GHSA-x7rv-cr6v-4vm4
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/03/GHSA-x7rv-cr6v-4vm4/GHSA-x7rv-cr6v-4vm4.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-x7rv-cr6v-4vm4
- Aliases
- Published
- 2018-03-21T11:57:11Z
- Modified
- 2024-02-22T05:21:17.045269Z
- Severity
-
- 6.1 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- Cross-site Scripting in loofah
- Details
-
Loofah allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments.
Users are affected if running Loofah < 2.2.1, but only:
- when running on MRI or RBX,
- in combination with libxml2 >= 2.9.2.
JRuby users are not affected.
- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2018-8048
- https://github.com/flavorjones/loofah/issues/144
- https://github.com/sparklemotion/nokogiri/pull/1746
- https://github.com/flavorjones/loofah/commit/f739cf8eac5851f328b8044281d6653f74eff116
- https://github.com/advisories/GHSA-x7rv-cr6v-4vm4
- https://github.com/flavorjones/loofah
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/loofah/CVE-2018-8048.yml
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2018-8048.yml
- https://security.netapp.com/advisory/ntap-20191122-0003
- https://www.debian.org/security/2018/dsa-4171
- http://www.openwall.com/lists/oss-security/2018/03/19/5
Affected packages
RubyGems / loofah
Package
- Name
- loofah
- Purl
- pkg:gem/loofah
RubyGems / nokogiri
Package
- Name
- nokogiri
- Purl
- pkg:gem/nokogiri
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.8.3
Affected versions
1.*
1.0.0
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.0.6
1.0.7
1.1.0
1.1.1
1.2.0
1.2.1
1.2.2
1.2.3
1.3.0
1.3.1
1.3.2
1.3.3
1.4.0
1.4.1
1.4.2
1.4.2.1
1.4.3
1.4.3.1
1.4.4
1.4.4.1
1.4.4.2
1.4.5
1.4.6
1.4.7
1.5.0.beta.1
1.5.0.beta.2
1.5.0.beta.3
1.5.0.beta.4
1.5.0
1.5.1.rc1
1.5.1
1.5.2
1.5.3.rc2
1.5.3.rc3
1.5.3.rc4
1.5.3.rc5
1.5.3.rc6
1.5.3
1.5.4.rc1
1.5.4.rc2
1.5.4.rc3
1.5.4
1.5.5.rc1
1.5.5.rc2
1.5.5.rc3
1.5.5
1.5.6.rc1
1.5.6.rc2
1.5.6.rc3
1.5.6
1.5.7.rc1
1.5.7.rc2
1.5.7.rc3
1.5.7
1.5.8
1.5.9
1.5.10
1.5.11
1.6.0.rc1
1.6.0
1.6.1
1.6.2.rc1
1.6.2.rc2
1.6.2.rc3
1.6.2
1.6.2.1
1.6.3.rc1
1.6.3.rc2
1.6.3.rc3
1.6.3
1.6.3.1
1.6.4
1.6.4.1
1.6.5
1.6.6.1
1.6.6.2
1.6.6.3
1.6.6.4
1.6.7.rc2
1.6.7.rc3
1.6.7.rc4
1.6.7
1.6.7.1
1.6.7.2
1.6.8.rc1
1.6.8.rc2
1.6.8.rc3
1.6.8
1.6.8.1
1.7.0
1.7.0.1
1.7.1
1.7.2
1.8.0
1.8.1
1.8.2