4.3
CVSSv2

CVE-2018-3741

Published: 30/03/2018 Updated: 09/10/2019
CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6
CVSS v3 Base Score: 6.1 | Impact Score: 2.7 | Exploitability Score: 2.8
VMScore: 384
Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

Vulnerability Summary

There is a possible XSS vulnerability in all rails-html-sanitizer gem versions below 1.0.4 for Ruby. The gem allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments, and these attributes can lead to an XSS attack on target applications. This issue is similar to CVE-2018-8048 in Loofah. All users running an affected release should either upgrade or use one of the workarounds immediately.

Affected Products

Vendor Product Versions
RubyonrailsHtml Sanitizer1.0.3

Vendor Advisories

Debian Bug report logs - #893994 ruby-rails-html-sanitizer: CVE-2018-3741 Package: src:ruby-rails-html-sanitizer; Maintainer for src:ruby-rails-html-sanitizer is Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@listsaliothdebianorg>; Reported by: Georg Faerber <georg@riseupnet> Date: Sun, 25 Mar 2018 04 ...

Github Repositories

TrivyWeb A Simple and Comprehensive Vulnerability Scanner for Containers, Suitable for CI for Web TOC Installation RHEL/CentOS Debian/Ubuntu Mac OS X / Homebrew Binary (Including Windows) From source Examples Scan an image Scan an image file Save the results as JSON Filter the vulnerabilities by severities Filter the vulnerabilities by type Skip an update of vulnerability

A Simple and Comprehensive Vulnerability Scanner for Containers, Suitable for CI TOC Abstract Features Installation RHEL/CentOS Debian/Ubuntu Arch Linux Mac OS X / Homebrew Binary (Including Windows) From source Quick Start Basic Docker Examples Scan an image Scan an image file Save the results as JSON Filter the vulnerabilities by severities Filter the vulnerabiliti

A Simple and Comprehensive Vulnerability Scanner for Containers, Suitable for CI Accuracy Comparison The number of vulnerabilities detected on Alpine Linux (as of 2019/05/12) See Comparison with other scanners for details TOC Abstract Features Installation RHEL/CentOS Debian/Ubuntu Mac OS X / Homebrew Binary (Including Windows) From source Quick Start Basic Docker E