Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2019-15587

Source

                							

                <!--X-Body-Begin-->
<!--X-User-Header-->

oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->

By Date

By Thread

</form>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
Re: [CVE-2019-15587] Loofah XSS Vulnerability

<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->

From: Mike Dalessio &lt;mike.dalessio () gmail com&gt;

Date: Tue, 22 Oct 2019 09:24:20 -0400

<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->

<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
Apologies - the "Affected Versions" section should have read *Loofah &lt;=
v2.3.0*

On Tue, Oct 22, 2019 at 9:15 AM Mike Dalessio &lt;mike.dalessio () gmail com&gt;
wrote:

Hello all,

A *medium* severity vulnerability has been identified and patched in
Loofah v2.3.1, which is a dependency of `rails-html-sanitizer`. This issue
has been assigned CVE-2019-15587.

The public notice can be found here:

  https://github.com/flavorjones/loofah/issues/171

To save you a click, I've reproduced the contents of the announcement here.

---

*# CVE-2019-15587 - Loofah XSS Vulnerability*
This issue has been created for public disclosure of an XSS vulnerability
that was responsibly reported by https://hackerone.com/vxhex

I'd like to thank [HackerOne](https://hackerone.com/loofah) for providing
a secure, responsible mechanism for reporting, and for providing their
fantastic service to the Loofah maintainers.

*## Severity*
Loofah maintainers have evaluated this as [Medium (CVSS3 6.4)](
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L
).

*## Description*
In the Loofah gem, through v2.3.0, unsanitized JavaScript may occur in
sanitized output when a crafted SVG element is republished.

*## Affected Versions*
Loofah &lt; v2.3.0

*## Mitigation*
Upgrade to Loofah v2.3.1 or later.

<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->

<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->

By Date

By Thread

Current thread:

[CVE-2019-15587] Loofah XSS Vulnerability Mike Dalessio (Oct 22)

Re: [CVE-2019-15587] Loofah XSS Vulnerability Mike Dalessio (Oct 22)

<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

Re: [CVE-2019-15587] Loofah XSS Vulnerability

Vulmon Search

About

Products

Connect