FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

Loofah -- XSS vulnerability

Affected packages
rubygem-loofah < 2.2.1

Details

VuXML ID ba6d0c9b-f5f6-4b9b-a6de-3cce93c83220
Discovery 2018-03-15
Entry 2018-03-20

GitHub issue:

This issue has been created for public disclosure of an XSS / code injection vulnerability that was responsibly reported by the Shopify Application Security Team.

Loofah allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments.

References

CVE Name CVE-2018-8048
URL https://github.com/flavorjones/loofah/issues/144
URL https://github.com/flavorjones/loofah/releases