CVE-2022-23515 — Cross-site Scripting in Project Loofah

CWE-79 — Cross-site Scripting6 documents5 sources

Severity

6.1MEDIUMNVD

EPSS

0.3%

top 49.31%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Loofah Project Loofah Debian Ruby-loofah Flavorjones Loofah +1 more

Timeline

PublishedDec 14

Description

Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri. Loofah >= 2.1.0, < 2.19.1 is vulnerable to cross-site scripting via the image/svg+xml media type in data URIs. This issue is patched in version 2.19.1.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages4 packages

▶debiandebian/ruby-loofah< ruby-loofah 2.19.1-1 (bookworm)

▶NVDloofah_project/loofah2.1.0 — 2.19.1

▶RubyGemsloofah_project/loofah2.1.0 — 2.19.1

▶CVEListV5flavorjones/loofah>= 2.1.0, < 2.19.1

Also affects: Debian Linux 10.0

🔴Vulnerability Details

OSV

CVE-2022-23515: Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri↗2022-12-14

▶

GHSA

Improper neutralization of data URIs may allow XSS in Loofah↗2022-12-13

▶

OSV

Improper neutralization of data URIs may allow XSS in Loofah↗2022-12-13

▶

📋Vendor Advisories

Red Hat

rubygem-loofah: Improper neutralization of data URIs leading to Cross Site Scripting↗2022-12-13

▶

Debian

CVE-2022-23515: ruby-loofah - Loofah is a general library for manipulating and transforming HTML/XML documents...↗2022

▶