Published: 30/03/2018 Updated: 30/01/2023

CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6

CVSS v3 Base Score: 6.1 | Impact Score: 2.7 | Exploitability Score: 2.8

VMScore: 383

Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

There is a possible XSS vulnerability in all rails-html-sanitizer gem versions below 1.0.4 for Ruby. The gem allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments, and these attributes can lead to an XSS attack on target applications. This issue is similar to CVE-2018-8048 in Loofah. All users running an affected release should either upgrade or use one of the workarounds immediately.

Vulnerable Product	Search on Vulmon	Subscribe to Product
rubyonrails html sanitizer

Debian Bug report logs - #893994 ruby-rails-html-sanitizer: CVE-2018-3741 Package: src:ruby-rails-html-sanitizer; Maintainer for src:ruby-rails-html-sanitizer is Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@listsaliothdebianorg>; Reported by: Georg Faerber <georg@riseupnet> Date: Sun, 25 Mar 2018 04 ...

todoappnotes

We assessed commit # 0da6c131ca38de43f3236b6da739912321074fd9 Findings Weak Password Policy Description The application has a weak password policy allowing user's to have a 6 character password This configuration seen on the following line of code githubcom/selinafeng/todo-app/blob/f6cc0df12a8617644b1c6b5781c6d33fd6ae5414/config/initializers/deviserb#L162 Recomm

CWE-79 https://github.com/rails/rails-html-sanitizer/commit/f3ba1a839a35f2ba7f941c15e239a1cb379d56ae https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=893994 https://nvd.nist.gov https://github.com/danielmoore-info/todoappnotes

CVE-2018-3741

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Github Repositories

References

Vulmon Search

About

Products

Connect