GitHub Advisory DatabaseGHSA-228G-948R-83GXImproper neutralization of data URIs may allow XSS in Loofah
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
0.001 Low
EPSS
Percentile
50.9%
Summary
Loofah >= 2.1.0, < 2.19.1 is vulnerable to cross-site scripting via the image/svg+xml media type in data URIs.
Mitigation
Upgrade to Loofah >= 2.19.1.
Severity
The Loofah maintainers have evaluated this as Medium Severity 6.1.
References
- CWE - CWE-79: Improper Neutralization of Input During Web Page Generation (โCross-site Scriptingโ) (4.9)
- SVG MIME Type (image/svg+xml) is misleading to developers ยท Issue #266 ยท w3c/svgwg
- https://hackerone.com/reports/1694173
- https://github.com/flavorjones/loofah/issues/101
Credit
This vulnerability was responsibly reported by Maciej Piechota (@haqpl).
Affected configurations
References
github.com/advisories/GHSA-228g-948r-83gx
github.com/flavorjones/loofah/commit/415677f3cf7f9254f42f811e784985cd63c7407f
github.com/flavorjones/loofah/issues/101
github.com/flavorjones/loofah/security/advisories/GHSA-228g-948r-83gx
github.com/rubysec/ruby-advisory-db/blob/master/gems/loofah/CVE-2022-23515.yml
github.com/w3c/svgwg/issues/266
hackerone.com/reports/1694173
lists.debian.org/debian-lts-announce/2023/09/msg00011.html
nvd.nist.gov/vuln/detail/CVE-2022-23515
Related
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
0.001 Low
EPSS
Percentile
50.9%