CVE-2018-8048 — Cross-site Scripting in Project Loofah
Severity
6.1MEDIUMNVD
EPSS
0.7%
top 28.21%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedMar 27
Latest updateApr 26
Description
In the Loofah gem through 2.2.0 for Ruby, non-whitelisted HTML attributes may occur in sanitized output by republishing a crafted HTML fragment.
CVSS vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7
Affected Packages8 packages
Also affects: Debian Linux 9.0
🔴Vulnerability Details
6OSV▶
CVE-2018-3741: There is a possible XSS vulnerability in all rails-html-sanitizer gem versions below 1↗2018-03-30
📋Vendor Advisories
4Red Hat▶
rubygem-rails-html-sanitizer: non-whitelisted attributes are present in sanitized output when input with specially-crafted HTML fragments leading to XSS vulnerability↗2018-03-21
Red Hat
▶
Debian▶
CVE-2018-3741: ruby-rails-html-sanitizer - There is a possible XSS vulnerability in all rails-html-sanitizer gem versions b...↗2018
Debian▶
CVE-2018-8048: ruby-loofah - In the Loofah gem through 2.2.0 for Ruby, non-whitelisted HTML attributes may oc...↗2018
💬Community
4Bugzilla▶
CVE-2018-3741 rubygem-rails-html-sanitizer: non-whitelisted attributes are present in sanitized output when input with specially-crafted HTML fragments leading to XSS vulnerability↗2018-04-18
Bugzilla▶
CVE-2018-8048 rubygem-loofah: XSS vulnerability due to unescaped comments within attributes by libxml2↗2018-03-21
Bugzilla▶
CVE-2018-8048 rubygem-loofah: XSS vulnerability due to unescaped comments within attributes by libxml2 [fedora-all]↗2018-03-21