rails-html-sanitizer >= 1.0.3, < 1.4.4
is vulnerable to cross-site scripting via data URIs when used in combination with Loofah >= 2.1.0
.
Upgrade to rails-html-sanitizer >= 1.4.4
.
The maintainers have evaluated this as Medium Severity 6.1.
This vulnerability was independently reported by Maciej Piechota (@haqpl) and Mrinmoy Das (@goromlagche).
{ "nvd_published_at": "2022-12-14T17:15:00Z", "cwe_ids": [ "CWE-79" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2022-12-13T17:45:39Z" }