CVE-2019-15587 — Cross-site Scripting in Project Loofah

CWE-79 — Cross-site Scripting10 documents7 sources

Severity

5.4MEDIUMNVD

EPSS

3.0%

top 13.32%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Loofah Project Loofah Debian Ruby-loofah Canonical Ubuntu Linux +2 more

Timeline

PublishedOct 22

Latest updateSep 15

Description

In the Loofah gem for Ruby through v2.3.0 unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages3 packages

▶debiandebian/ruby-loofah< ruby-loofah 2.3.1+dfsg-1 (bookworm)

▶RubyGemsloofah_project/loofah< 2.3.1

▶NVDloofah_project/loofah2.3.0

Also affects: Debian Linux 10.0, 9.0, Fedora 30, 31, Ubuntu Linux 16.04

🔴Vulnerability Details

OSV

ruby-loofah vulnerability↗2020-09-15

▶

OSV

Loofah Allows Cross-site Scripting↗2019-11-05

▶

GHSA

Loofah Allows Cross-site Scripting↗2019-11-05

▶

OSV

CVE-2019-15587: In the Loofah gem for Ruby through v2↗2019-10-22

▶

📋Vendor Advisories

Ubuntu

Loofah vulnerability↗2020-09-15

▶

Red Hat

rubygem-loofah: XXS when a crafted SVG element is republished↗2019-10-10

▶

Debian

CVE-2019-15587: ruby-loofah - In the Loofah gem for Ruby through v2.3.0 unsanitized JavaScript may occur in sa...↗2019

▶

💬Community

Bugzilla

CVE-2019-15587 rubygem-loofah: XXS when a crafted SVG element is republished [fedora-all]↗2020-02-20

▶

Bugzilla

CVE-2019-15587 rubygem-loofah: XXS when a crafted SVG element is republished↗2019-11-19

▶