GHSA-c3gv-9cxf-6f57
Suggest an improvement- Source
- https://github.com/advisories/GHSA-c3gv-9cxf-6f57
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/11/GHSA-c3gv-9cxf-6f57/GHSA-c3gv-9cxf-6f57.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-c3gv-9cxf-6f57
- Aliases
- Published
- 2019-11-05T23:58:25Z
- Modified
- 2024-02-16T08:24:36.818396Z
- Severity
-
- 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- Loofah Allows Cross-site Scripting
- Details
-
In the Loofah gem for Ruby through v2.3.0, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.
- Database specific
{ "github_reviewed_at": "2019-10-24T20:44:29Z", "cwe_ids": [ "CWE-79" ], "nvd_published_at": "2019-10-22T21:15:00Z", "severity": "MODERATE", "github_reviewed": true }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2019-15587
- https://github.com/flavorjones/loofah/issues/171
- https://github.com/flavorjones/loofah/commit/0c6617af440879ce97440f6eb6c58636456dc8ec
- https://hackerone.com/reports/709009
- https://github.com/flavorjones/loofah
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/loofah/CVE-2019-15587.yml
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4WK2UG7ORKRQOJ6E4XJ2NVIHYJES6BYZ
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XMCWPLYPNIWYAY443IZZJ4IHBBLIHBP5
- https://security.netapp.com/advisory/ntap-20191122-0003
- https://usn.ubuntu.com/4498-1
- https://www.debian.org/security/2019/dsa-4554
Affected packages
RubyGems / loofah
Package
- Name
- loofah
- Purl
- pkg:gem/loofah