Cross-site Scripting (XSS)

2018-03-2005:38:48

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

0.002 Low

EPSS

Percentile

59.1%

JSON

loofah is vulnerable to cross-site scripting (XSS) attacks. The vulnerability can occur under specific conditions when running on MRI or RBX and while using libxml2 >= 2.9.2. It exists as the scrub_attributes method in lib/loofah/html5/scrub.rb failed to sanitize some non-whitelisted attributes.

CPENameOperatorVersion
loofahle2.2.1
python-psutileq5.0.1__2.el7rhgs
python-psutileq1.2.1__1.el7
python-psutileq5.2.2__2.el7ost
python-psutileq5.0.1__2.el7ost
python-psutileq5.0.1__1.el7sat
ovirt-ansible-vm-infraeq1.1.9__1.el7ev
ovirt-ansible-vm-infraeq1.1.7__1.el7ev
ovirt-ansible-vm-infraeq1.1.8__1.el7ev
erlangeqR16B__03.7min.1.el7ost

Name	Operator	Version
loofah	le	2.2.1
python-psutil	eq	5.0.1__2.el7rhgs
python-psutil	eq	1.2.1__1.el7
python-psutil	eq	5.2.2__2.el7ost
python-psutil	eq	5.0.1__2.el7ost
python-psutil	eq	5.0.1__1.el7sat
ovirt-ansible-vm-infra	eq	1.1.9__1.el7ev
ovirt-ansible-vm-infra	eq	1.1.7__1.el7ev
ovirt-ansible-vm-infra	eq	1.1.8__1.el7ev
erlang	eq	R16B__03.7min.1.el7ost