CVE-2018-8048
published 2018-03-27CVE-2018-8048: In the Loofah gem through 2.2.0 for Ruby, non-whitelisted HTML attributes may occur in sanitized output by republishing a crafted HTML fragment.
PriorityP426medium6.1CVSS 3.0
AVNACLPRNUIRSCCLILAN
EPSS
1.98%
78.1th percentile
In the Loofah gem through 2.2.0 for Ruby, non-whitelisted HTML attributes may occur in sanitized output by republishing a crafted HTML fragment.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | ruby-loofah | < ruby-loofah 2.2.1-1 (bookworm) | ruby-loofah 2.2.1-1 (bookworm) |
| debian | ruby-rails-html-sanitizer | < ruby-rails-html-sanitizer 1.0.4-1 (bookworm) | ruby-rails-html-sanitizer 1.0.4-1 (bookworm) |
| loofah_project | loofah | < 2.2.1 | 2.2.1 |
| loofah_project | loofah | >= 0 < 2.2.1 | 2.2.1 |
| nokogiri | nokogiri | >= 0 < 1.8.3 | 1.8.3 |
| rails | rails-html-sanitizer | <= 1.0.3 | — |
| rails | rails-html-sanitizer | >= 0 < 1.0.4 | 1.0.4 |
| rubyonrails | html_sanitizer | <= 1.0.3 | — |
CVSS provenance
nvdv3.06.1MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
ghsa6.1MEDIUM
osv6.1MEDIUM
vendor_debian6.1MEDIUM
vendor_redhat6.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
rails-html-sanitizer Cross-site Scripting vulnerability
ghsa·2018-04-26·CVSS 6.1
CVE-2018-3741 [MEDIUM] CWE-79 rails-html-sanitizer Cross-site Scripting vulnerability
rails-html-sanitizer Cross-site Scripting vulnerability
There is a possible XSS vulnerability in all rails-html-sanitizer gem versions below 1.0.4 for Ruby. The gem allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments, and these attributes can lead to an XSS attack on target applications. This issue is similar to CVE-2018-8048 in Loofah. All users running an affected release should either upgrade or use one of the workarounds immediately.
OSV
rails-html-sanitizer Cross-site Scripting vulnerability
osv·2018-04-26·CVSS 6.1
CVE-2018-3741 [MEDIUM] rails-html-sanitizer Cross-site Scripting vulnerability
rails-html-sanitizer Cross-site Scripting vulnerability
There is a possible XSS vulnerability in all rails-html-sanitizer gem versions below 1.0.4 for Ruby. The gem allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments, and these attributes can lead to an XSS attack on target applications. This issue is similar to CVE-2018-8048 in Loofah. All users running an affected release should either upgrade or use one of the workarounds immediately.
OSV
CVE-2018-3741: There is a possible XSS vulnerability in all rails-html-sanitizer gem versions below 1
osv·2018-03-30·CVSS 6.1
CVE-2018-3741 [MEDIUM] CVE-2018-3741: There is a possible XSS vulnerability in all rails-html-sanitizer gem versions below 1
There is a possible XSS vulnerability in all rails-html-sanitizer gem versions below 1.0.4 for Ruby. The gem allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments, and these attributes can lead to an XSS attack on target applications. This issue is similar to CVE-2018-8048 in Loofah. All users running an affected release should either upgrade or use one of the workarounds immediately.
OSV
CVE-2018-8048: In the Loofah gem through 2
osv·2018-03-27·CVSS 6.1
CVE-2018-8048 [MEDIUM] CVE-2018-8048: In the Loofah gem through 2
In the Loofah gem through 2.2.0 for Ruby, non-whitelisted HTML attributes may occur in sanitized output by republishing a crafted HTML fragment.
OSV
Cross-site Scripting in loofah
osv·2018-03-21
CVE-2018-8048 [MEDIUM] Cross-site Scripting in loofah
Cross-site Scripting in loofah
Loofah allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments.
Users are affected if running Loofah = 2.9.2.
JRuby users are not affected.
GHSA
Cross-site Scripting in loofah
ghsa·2018-03-21
CVE-2018-8048 [MEDIUM] CWE-79 Cross-site Scripting in loofah
Cross-site Scripting in loofah
Loofah allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments.
Users are affected if running Loofah = 2.9.2.
JRuby users are not affected.
Red Hat
rubygem-rails-html-sanitizer: non-whitelisted attributes are present in sanitized output when input with specially-crafted HTML fragments leading to XSS vulnerability
vendor_redhat·2018-03-21·CVSS 6.1
CVE-2018-3741 [MEDIUM] CWE-79 rubygem-rails-html-sanitizer: non-whitelisted attributes are present in sanitized output when input with specially-crafted HTML fragments leading to XSS vulnerability
rubygem-rails-html-sanitizer: non-whitelisted attributes are present in sanitized output when input with specially-crafted HTML fragments leading to XSS vulnerability
There is a possible XSS vulnerability in all rails-html-sanitizer gem versions below 1.0.4 for Ruby. The gem allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments, and these attributes can lead to an XSS attack on target applications. This issue is similar to CVE-2018-8048 in Loofah. All users running an affected release should either upgrade or use one of the workarounds immediately.
Statement: This issue affects the versions of rubygem-rails-html-sanitizer as shipped with Red Hat CloudForms 4. Red Hat Product Security has rated this issue as having a security
Red Hat
rubygem-loofah: XSS vulnerability due to unescaped comments within attributes by libxml2
vendor_redhat·2018-03-15·CVSS 6.1
CVE-2018-8048 [MEDIUM] CWE-79 rubygem-loofah: XSS vulnerability due to unescaped comments within attributes by libxml2
rubygem-loofah: XSS vulnerability due to unescaped comments within attributes by libxml2
In the Loofah gem through 2.2.0 for Ruby, non-whitelisted HTML attributes may occur in sanitized output by republishing a crafted HTML fragment.
Statement: This issue affects the versions of rubygem-loofah as shipped with Red Hat CloudForms 4. Red Hat Product Security has rated this issue as having a security impact of Moderate. This vulnerability won't be fixed on CloudForms 4, because it uses libxml 2.9.1 and since the vulnerability requires a libxml >= 2.9.2 in order to be exploitable. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/
Package: rh-ror42-rubygem-loofah (Red Hat Software Collections) - Not affected
Pac
Debian
CVE-2018-3741: ruby-rails-html-sanitizer - There is a possible XSS vulnerability in all rails-html-sanitizer gem versions b...
vendor_debian·2018·CVSS 6.1
CVE-2018-3741 [MEDIUM] CVE-2018-3741: ruby-rails-html-sanitizer - There is a possible XSS vulnerability in all rails-html-sanitizer gem versions b...
There is a possible XSS vulnerability in all rails-html-sanitizer gem versions below 1.0.4 for Ruby. The gem allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments, and these attributes can lead to an XSS attack on target applications. This issue is similar to CVE-2018-8048 in Loofah. All users running an affected release should either upgrade or use one of the workarounds immediately.
Scope: local
bookworm: resolved (fixed in 1.0.4-1)
bullseye: resolved (fixed in 1.0.4-1)
forky: resolved (fixed in 1.0.4-1)
sid: resolved (fixed in 1.0.4-1)
trixie: resolved (fixed in 1.0.4-1)
Debian
CVE-2018-8048: ruby-loofah - In the Loofah gem through 2.2.0 for Ruby, non-whitelisted HTML attributes may oc...
vendor_debian·2018·CVSS 6.1
CVE-2018-8048 [MEDIUM] CVE-2018-8048: ruby-loofah - In the Loofah gem through 2.2.0 for Ruby, non-whitelisted HTML attributes may oc...
In the Loofah gem through 2.2.0 for Ruby, non-whitelisted HTML attributes may occur in sanitized output by republishing a crafted HTML fragment.
Scope: local
bookworm: resolved (fixed in 2.2.1-1)
bullseye: resolved (fixed in 2.2.1-1)
forky: resolved (fixed in 2.2.1-1)
sid: resolved (fixed in 2.2.1-1)
trixie: resolved (fixed in 2.2.1-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2018-3741 rubygem-rails-html-sanitizer: non-whitelisted attributes are present in sanitized output when input with specially-crafted HTML fragments leading to XSS vulnerability
bugzilla·2018-04-18·CVSS 6.1
CVE-2018-3741 [MEDIUM] CVE-2018-3741 rubygem-rails-html-sanitizer: non-whitelisted attributes are present in sanitized output when input with specially-crafted HTML fragments leading to XSS vulnerability
CVE-2018-3741 rubygem-rails-html-sanitizer: non-whitelisted attributes are present in sanitized output when input with specially-crafted HTML fragments leading to XSS vulnerability
There is a possible XSS vulnerability in all rails-html-sanitizer gem versions below 1.0.4 for Ruby. The gem allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments, and these attributes can lead to an XSS attack on target applications. This issue is similar to CVE-2018-8048 in Loofah. All users running an affected release should either upgrade or use one of the workarounds immediately.
Upstream fix:
https://github.com/rails/rails-html-sanitizer/commit/f3ba1a839a35f2ba7f941c15e239a1cb379d56ae
Discussion:
Created rubygem-rails-html-sanitizer tracki
HackerOne
XSS vulnerability in sanitize-method when parsing link's href
hackerone·2018-03-22·CVSS 6.1
CVE-2018-3741 [MEDIUM] XSS vulnerability in sanitize-method when parsing link's href
XSS vulnerability in sanitize-method when parsing link's href
Possible XSS vulnerability in rails-html-sanitizer
There is a possible XSS vulnerability in rails-html-sanitizer. This
vulnerability has been assigned the CVE identifier CVE-2018-3741.
Versions Affected: 1.0.3 or older.
Not affected: None.
Fixed Versions: 1.0.4
Impact
There is a possible XSS vulnerability in rails-html-sanitizer. The gem allows non-whitelisted
attributes to be present in sanitized output when input with specially-crafted HTML fragments,
and these attributes can lead to an XSS attack on target applications.
This issue is similar to CVE-2018-8048 in Loofah.
All users running an affected release should either upgrade or use one of the
workarounds immediately.
Releases
The FIXED releases are available at the
Bugzilla
CVE-2018-8048 rubygem-loofah: XSS vulnerability due to unescaped comments within attributes by libxml2
bugzilla·2018-03-21·CVSS 6.1
CVE-2018-8048 [MEDIUM] CVE-2018-8048 rubygem-loofah: XSS vulnerability due to unescaped comments within attributes by libxml2
CVE-2018-8048 rubygem-loofah: XSS vulnerability due to unescaped comments within attributes by libxml2
Loofah allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments.
Affected versions: Loofah = 2.9.2.
Upstream bug:
https://github.com/flavorjones/loofah/issues/144
Upstream patch:
https://github.com/flavorjones/loofah/commit/f739cf8eac5851f328b8044281d6653f74eff116
Reference:
http://seclists.org/oss-sec/2018/q1/253
Discussion:
Created rubygem-loofah tracking bugs for this issue:
Affects: fedora-all [bug 1559072]
---
Statement:
This issue affects the versions of rubygem-loofah as shipped with Red Hat CloudForms 4. Red Hat Product Security has rated this issue as having a security impact of Moderate. This vulnerability
Bugzilla
CVE-2018-8048 rubygem-loofah: XSS vulnerability due to unescaped comments within attributes by libxml2 [fedora-all]
bugzilla·2018-03-21·CVSS 6.1
CVE-2018-8048 [MEDIUM] CVE-2018-8048 rubygem-loofah: XSS vulnerability due to unescaped comments within attributes by libxml2 [fedora-all]
CVE-2018-8048 rubygem-loofah: XSS vulnerability due to unescaped comments within attributes by libxml2 [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this iss
http://www.openwall.com/lists/oss-security/2018/03/19/5https://github.com/flavorjones/loofah/issues/144https://security.netapp.com/advisory/ntap-20191122-0003/https://www.debian.org/security/2018/dsa-4171http://www.openwall.com/lists/oss-security/2018/03/19/5https://github.com/flavorjones/loofah/issues/144https://security.netapp.com/advisory/ntap-20191122-0003/https://www.debian.org/security/2018/dsa-4171
2018-03-27
Published