CVE-2018-16468Cross-site Scripting in Project Loofah

CWE-79Cross-site Scripting8 documents6 sources
Severity
5.4MEDIUMNVD
EPSS
0.3%
top 45.43%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Loofah Project LoofahDebian Ruby-loofahDebian Linux
Timeline
PublishedOct 30
Latest updateNov 5

Description

In the Loofah gem for Ruby, through v2.2.2, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages3 packages

debiandebian/ruby-loofah< ruby-loofah 2.2.3-1 (bookworm)
RubyGemsloofah_project/loofah< 2.2.3

Also affects: Debian Linux 9.0

🔴Vulnerability Details

3
OSV
Loofah Cross-site Scripting vulnerability2018-11-01
GHSA
Loofah Cross-site Scripting vulnerability2018-11-01
OSV
CVE-2018-16468: In the Loofah gem for Ruby, through v22018-10-30

📋Vendor Advisories

2
Red Hat
rubygem-loofah: XXS when a crafted SVG element is republished2018-10-27
Debian
CVE-2018-16468: ruby-loofah - In the Loofah gem for Ruby, through v2.2.2, unsanitized JavaScript may occur in ...2018

💬Community

2
Bugzilla
CVE-2018-16468 rubygem-loofah: XXS when a crafted SVG element is republished2018-11-05
Bugzilla
CVE-2018-16468 rubygem-loofah: XXS when a crafted SVG element is republished [fedora-all]2018-11-05