MEDIUM 5.4

GHSA-g4xq-jx4w-4cjv

Loofah Cross-site Scripting vulnerability

Details

In the Loofah gem for Ruby, through version 2.2.2, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished. Users are advised to upgrade to version 2.2.3.

See https://github.com/flavorjones/loofah/issues/154 for more details.

Are you affected?

Enter the version of the package you're using.

Affected packages

RubyGems / loofah

Introduced in: 0 Fixed in: 2.2.3

Fix bundle update loofah

References

https://nvd.nist.gov/vuln/detail/CVE-2018-16468 [ADVISORY]
https://github.com/flavorjones/loofah/issues/154 [WEB]
https://github.com/flavorjones/loofah [PACKAGE]
https://www.debian.org/security/2019/dsa-4364 [WEB]