CVE-2022-23515
published 2022-12-14CVE-2022-23515: Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri. Loofah >= 2.1.0, < 2.19.1 is…
PriorityP424medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.79%
51.7th percentile
Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri. Loofah >= 2.1.0, < 2.19.1 is vulnerable to cross-site scripting via the image/svg+xml media type in data URIs. This issue is patched in version 2.19.1.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | ruby-loofah | < ruby-loofah 2.19.1-1 (bookworm) | ruby-loofah 2.19.1-1 (bookworm) |
| flavorjones | loofah | — | — |
| loofah_project | loofah | >= 2.1.0 < 2.19.1 | 2.19.1 |
| loofah_project | loofah | >= 2.1.0 < 2.19.1 | 2.19.1 |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
osv6.1MEDIUM
vendor_debian6.1MEDIUM
vendor_redhat6.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2022-23515: Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri
osv·2022-12-14·CVSS 6.1
CVE-2022-23515 [MEDIUM] CVE-2022-23515: Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri
Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri. Loofah >= 2.1.0, < 2.19.1 is vulnerable to cross-site scripting via the image/svg+xml media type in data URIs. This issue is patched in version 2.19.1.
GHSA
Improper neutralization of data URIs may allow XSS in Loofah
ghsa·2022-12-13
CVE-2022-23515 [MEDIUM] CWE-79 Improper neutralization of data URIs may allow XSS in Loofah
Improper neutralization of data URIs may allow XSS in Loofah
## Summary
Loofah `>= 2.1.0, = 2.19.1`.
## Severity
The Loofah maintainers have evaluated this as [Medium Severity 6.1](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).
## References
- [CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)](https://cwe.mitre.org/data/definitions/79.html)
- [SVG MIME Type (image/svg+xml) is misleading to developers · Issue #266 · w3c/svgwg](https://github.com/w3c/svgwg/issues/266)
- https://hackerone.com/reports/1694173
- https://github.com/flavorjones/loofah/issues/101
## Credit
This vulnerability was responsibly reported by Maciej Piechota (@haqpl).
OSV
Improper neutralization of data URIs may allow XSS in Loofah
osv·2022-12-13
CVE-2022-23515 [MEDIUM] Improper neutralization of data URIs may allow XSS in Loofah
Improper neutralization of data URIs may allow XSS in Loofah
## Summary
Loofah `>= 2.1.0, = 2.19.1`.
## Severity
The Loofah maintainers have evaluated this as [Medium Severity 6.1](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).
## References
- [CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)](https://cwe.mitre.org/data/definitions/79.html)
- [SVG MIME Type (image/svg+xml) is misleading to developers · Issue #266 · w3c/svgwg](https://github.com/w3c/svgwg/issues/266)
- https://hackerone.com/reports/1694173
- https://github.com/flavorjones/loofah/issues/101
## Credit
This vulnerability was responsibly reported by Maciej Piechota (@haqpl).
Red Hat
rubygem-loofah: Improper neutralization of data URIs leading to Cross Site Scripting
vendor_redhat·2022-12-13·CVSS 6.1
CVE-2022-23515 [MEDIUM] CWE-79 rubygem-loofah: Improper neutralization of data URIs leading to Cross Site Scripting
rubygem-loofah: Improper neutralization of data URIs leading to Cross Site Scripting
Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri. Loofah >= 2.1.0, < 2.19.1 is vulnerable to cross-site scripting via the image/svg+xml media type in data URIs. This issue is patched in version 2.19.1.
A Cross-site scripting vulnerability was found in rubygem loofah. While neutralizing certain data URIs, loofah is susceptible to Cross-site scripting attacks.
Package: 3scale-amp-zync-container (Red Hat 3scale API Management Platform 2) - Will not fix
Package: tfm-ror51-rubygem-loofah (Red Hat Satellite 6) - Out of support scope
Package: tfm-ror52-rubygem-loofah (Red Hat Satellite 6) - Out of support scope
Package: tfm-rubygem-loof
Debian
CVE-2022-23515: ruby-loofah - Loofah is a general library for manipulating and transforming HTML/XML documents...
vendor_debian·2022·CVSS 6.1
CVE-2022-23515 [MEDIUM] CVE-2022-23515: ruby-loofah - Loofah is a general library for manipulating and transforming HTML/XML documents...
Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri. Loofah >= 2.1.0, < 2.19.1 is vulnerable to cross-site scripting via the image/svg+xml media type in data URIs. This issue is patched in version 2.19.1.
Scope: local
bookworm: resolved (fixed in 2.19.1-1)
bullseye: resolved (fixed in 2.7.0+dfsg-1+deb11u1)
forky: resolved (fixed in 2.19.1-1)
sid: resolved (fixed in 2.19.1-1)
trixie: resolved (fixed in 2.19.1-1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/flavorjones/loofah/issues/101https://github.com/flavorjones/loofah/security/advisories/GHSA-228g-948r-83gxhttps://hackerone.com/reports/1694173https://lists.debian.org/debian-lts-announce/2023/09/msg00011.htmlhttps://github.com/flavorjones/loofah/issues/101https://github.com/flavorjones/loofah/security/advisories/GHSA-228g-948r-83gxhttps://hackerone.com/reports/1694173https://lists.debian.org/debian-lts-announce/2023/09/msg00011.htmlhttps://lists.debian.org/debian-lts-announce/2024/09/msg00044.html
2022-12-14
Published