CVE-2019-15587
published 2019-10-22CVE-2019-15587: In the Loofah gem for Ruby through v2.3.0 unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.
PriorityP424medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
1.55%
72.1th percentile
In the Loofah gem for Ruby through v2.3.0 unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | ruby-loofah | < ruby-loofah 2.3.1+dfsg-1 (bookworm) | ruby-loofah 2.3.1+dfsg-1 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| loofah_project | loofah | <= 2.3.0 | — |
| loofah_project | loofah | >= 0 < 2.3.1 | 2.3.1 |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:N/I:P/A:N
osv5.4MEDIUM
vendor_debian5.4MEDIUM
vendor_redhat5.4MEDIUM
vendor_ubuntu5.4MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
ruby-loofah vulnerability
osv·2020-09-15·CVSS 5.4
CVE-2019-15587 [MEDIUM] ruby-loofah vulnerability
ruby-loofah vulnerability
It was discovered that Loofah does not properly sanitize JavaScript in
sanitized output. An attacker could possibly use this issue to perform
XSS attacks. (CVE-2019-15587)
OSV
Loofah Allows Cross-site Scripting
osv·2019-11-05
CVE-2019-15587 [MEDIUM] Loofah Allows Cross-site Scripting
Loofah Allows Cross-site Scripting
In the Loofah gem for Ruby through v2.3.0, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.
GHSA
Loofah Allows Cross-site Scripting
ghsa·2019-11-05
CVE-2019-15587 [MEDIUM] CWE-79 Loofah Allows Cross-site Scripting
Loofah Allows Cross-site Scripting
In the Loofah gem for Ruby through v2.3.0, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.
OSV
CVE-2019-15587: In the Loofah gem for Ruby through v2
osv·2019-10-22·CVSS 5.4
CVE-2019-15587 [MEDIUM] CVE-2019-15587: In the Loofah gem for Ruby through v2
In the Loofah gem for Ruby through v2.3.0 unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.
Ubuntu
Loofah vulnerability
vendor_ubuntu·2020-09-15·CVSS 5.4
CVE-2019-15587 [MEDIUM] Loofah vulnerability
Title: Loofah vulnerability
Summary: Loofah could be made to perform XSS attacks if a crafted SVG element is
republished
It was discovered that Loofah does not properly sanitize JavaScript in
sanitized output. An attacker could possibly use this issue to perform
XSS attacks. (CVE-2019-15587)
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
rubygem-loofah: XXS when a crafted SVG element is republished
vendor_redhat·2019-10-10·CVSS 5.4
CVE-2019-15587 [MEDIUM] CWE-79 rubygem-loofah: XXS when a crafted SVG element is republished
rubygem-loofah: XXS when a crafted SVG element is republished
In the Loofah gem for Ruby through v2.3.0 unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.
Statement: Supported versions of Satellite 6 contain a vulnerable version of rubygem-loofah. However, it is not possible to inject untrusted SVG files, and thus it is considered that this vulnerability can not be triggered. A future update may fix this vulnerability.
Package: cfme-amazon-smartstate (CloudForms Management Engine 5) - Will not fix
Package: cfme-gemset (CloudForms Management Engine 5) - Will not fix
Package: tfm-ror51-rubygem-loofah (Red Hat Satellite 6) - Not affected
Package: tfm-ror52-rubygem-loofah (Red Hat Satellite 6) - Not affected
Package: rh-ror50-rubygem-loofah (
Debian
CVE-2019-15587: ruby-loofah - In the Loofah gem for Ruby through v2.3.0 unsanitized JavaScript may occur in sa...
vendor_debian·2019·CVSS 5.4
CVE-2019-15587 [MEDIUM] CVE-2019-15587: ruby-loofah - In the Loofah gem for Ruby through v2.3.0 unsanitized JavaScript may occur in sa...
In the Loofah gem for Ruby through v2.3.0 unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.
Scope: local
bookworm: resolved (fixed in 2.3.1+dfsg-1)
bullseye: resolved (fixed in 2.3.1+dfsg-1)
forky: resolved (fixed in 2.3.1+dfsg-1)
sid: resolved (fixed in 2.3.1+dfsg-1)
trixie: resolved (fixed in 2.3.1+dfsg-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2019-15587 rubygem-loofah: XXS when a crafted SVG element is republished [fedora-all]
bugzilla·2020-02-20·CVSS 5.4
CVE-2019-15587 [MEDIUM] CVE-2019-15587 rubygem-loofah: XXS when a crafted SVG element is republished [fedora-all]
CVE-2019-15587 rubygem-loofah: XXS when a crafted SVG element is republished [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple suppor
Bugzilla
CVE-2019-15587 rubygem-loofah: XXS when a crafted SVG element is republished
bugzilla·2019-11-19·CVSS 5.4
CVE-2019-15587 [MEDIUM] CVE-2019-15587 rubygem-loofah: XXS when a crafted SVG element is republished
CVE-2019-15587 rubygem-loofah: XXS when a crafted SVG element is republished
In the Loofah gem for Ruby through v2.3.0 unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.
Upstream issue:
https://github.com/flavorjones/loofah/issues/171
References:
https://hackerone.com/reports/709009
https://www.debian.org/security/2019/dsa-4554
https://www.debian.org/security/2019/dsa-4554
https://www.openwall.com/lists/oss-security/2019/10/22/1
Discussion:
Upstream commit:
https://github.com/flavorjones/loofah/commit/0c6617af440879ce97440f6eb6c58636456dc8ec
---
Created rubygem-loofah tracking bugs for this issue:
Affects: fedora-all [bug 1805200]
---
Statement:
Supported versions of Satellite 6 contain a vulnerable version of rubygem-loofah. Howev
https://github.com/flavorjones/loofah/issues/171https://hackerone.com/reports/709009https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4WK2UG7ORKRQOJ6E4XJ2NVIHYJES6BYZ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XMCWPLYPNIWYAY443IZZJ4IHBBLIHBP5/https://security.netapp.com/advisory/ntap-20191122-0003/https://usn.ubuntu.com/4498-1/https://www.debian.org/security/2019/dsa-4554https://github.com/flavorjones/loofah/issues/171https://hackerone.com/reports/709009https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4WK2UG7ORKRQOJ6E4XJ2NVIHYJES6BYZ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XMCWPLYPNIWYAY443IZZJ4IHBBLIHBP5/https://security.netapp.com/advisory/ntap-20191122-0003/https://usn.ubuntu.com/4498-1/https://www.debian.org/security/2019/dsa-4554
2019-10-22
Published