Cross-Site Scripting (XSS)

2022-12-1404:47:44

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

loofah

xss

vulnerability

data url

sanitization

software

remote attacker

javascript

0.001 Low

EPSS

Percentile

50.9%

JSON

loofah is vulnerable to cross-site scripting. The vulnerability exists due to the lack of sanitization data urls in the image/svg+xml parameter in safelist.rb which allows a remote attacker to inject and execute malicious JavaScript into the system.

CPENameOperatorVersion
loofahle2.19.0
ruby-loofah:sideq2.7.0+dfsg-1
ruby-loofah:sideq2.9.0-1
ruby-loofah:sideq2.12.0-1
rubygem-loofaheq2.4.0__2.el8sat
loofahle2.19.0
ruby-loofah:sideq2.7.0+dfsg-1
ruby-loofah:sideq2.9.0-1
ruby-loofah:sideq2.12.0-1
rubygem-loofaheq2.4.0__2.el8sat

Name	Operator	Version
loofah	le	2.19.0
ruby-loofah:sid	eq	2.7.0+dfsg-1
ruby-loofah:sid	eq	2.9.0-1
ruby-loofah:sid	eq	2.12.0-1
rubygem-loofah	eq	2.4.0__2.el8sat
loofah	le	2.19.0
ruby-loofah:sid	eq	2.7.0+dfsg-1
ruby-loofah:sid	eq	2.9.0-1
ruby-loofah:sid	eq	2.12.0-1
rubygem-loofah	eq	2.4.0__2.el8sat