CVE-2018-16468 - Loofah XSS Vulnerability #154

flavorjones · 2018-10-27T19:06:55Z

CVE-2018-16468 - Loofah XSS Vulnerability

This issue has been created for public disclosure of an XSS vulnerability that was responsibly reported (independently) by Shubham Pathak and @yasinS (Yasin Soliman).

I'd like to thank HackerOne for providing a secure, responsible mechanism for reporting, and for providing their fantastic service to the Loofah maintainers.

Severity

Loofah maintainers have evaluated this as Medium (CVSS3 6.4).

Description

In the Loofah gem, through v2.2.2, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.

Affected Versions

Loofah < v2.2.3.

Mitigation

Upgrade to Loofah v2.2.3.

References

HackerOne report

History of this public disclosure

2018-10-27: disclosure created, all information is embargoed
2018-10-30: embargo ends, full information made available

flavorjones · 2018-10-30T12:24:12Z

This vulnerability has been assigned CVE-2018-16468.

this addresses CVE-2018-16468 see #154 for more information #154

flavorjones · 2018-10-30T13:02:08Z

This issue has been updated with full unembargoed information.

this addresses CVE-2018-16468 see #154 for more information #154

This fixes CVE-2018-16468 [1]. [1]: flavorjones/loofah#154

Fixes CVE-2018-16468: flavorjones/loofah#154

ruby advisory fails on ``` Name: loofah Version: 2.2.2 Advisory: CVE-2018-16468 Criticality: Unknown URL: flavorjones/loofah#154 Title: Loofah XSS Vulnerability Solution: upgrade to >= 2.2.3 ``` Once rails/rails-html-sanitizer#73 is merged, we can remove this exception.

More info at flavorjones/loofah#154

CVE-2018-16468 - Loofah XSS Vulnerability flavorjones/loofah#154

loofah < 2.2.3 has a cross-site scriting vulnerability reported.[1] [1] flavorjones/loofah#154 Supermarket is not vulnerable to this. The library is being updated out of an abundance of caution and to appease the vulnerability scanner. Signed-off-by: Robb Kidd <rkidd@chef.io>

The loofah gem < 2.2.3 is a security risk, so have updated it to 2.2.3, as well as the other gems. See flavorjones/loofah#154

Fix flavorjones/loofah#154

loofah: CVE-2018-16468: flavorjones/loofah#154 nokogiri: CVE-2018-14404 and CVE-2018-14567 https://github.com/sparklemotion/nokogiri/blob/master/CHANGELOG.md rack: CVE-2018-16471 rack/rack@e5d5803 i18n: https://github.com/svenfuchs/i18n/releases

loofah: CVE-2018-16468: flavorjones/loofah#154 nokogiri: CVE-2018-14404 and CVE-2018-14567 https://github.com/sparklemotion/nokogiri/blob/master/CHANGELOG.md rack: CVE-2018-16471 rack/rack@e5d5803 i18n: https://github.com/svenfuchs/i18n/releases concurrent-ruby: https://github.com/ruby-concurrency/concurrent-ruby/blob/master/CHANGELOG.md

flavorjones/loofah#154

There was one CVE filed against the loofah gem, this bumps the version from 1.8.4 to 1.8.5 [CVE-2018-16468][1] > moderate severity > Vulnerable versions: < 2.2.3 > Patched version: 2.2.3 > > In the Loofah gem for Ruby, through version 2.2.2, unsanitized > JavaScript may occur in sanitized output when a crafted SVG element is > republished. Users are advised to upgrade to version 2.2.3. See flavorjones/loofah#154 for more details. [1]: https://nvd.nist.gov/vuln/detail/CVE-2018-16468

- Fix some vulnerabilities ``` Name: loofah Version: 2.2.2 Advisory: CVE-2018-16468 Criticality: Unknown URL: flavorjones/loofah#154 Title: Loofah XSS Vulnerability Solution: upgrade to >= 2.2.3 Name: nokogiri Version: 1.8.4 Advisory: CVE-2018-14404 Criticality: Unknown URL: sparklemotion/nokogiri#1785 Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities Solution: upgrade to >= 1.8.5 Name: rack Version: 2.0.5 Advisory: CVE-2018-16470 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/ruby-security-ann/Dz4sRl-ktKk Title: Possible DoS vulnerability in Rack Solution: upgrade to >= 2.0.6 Name: rack Version: 2.0.5 Advisory: CVE-2018-16471 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/ruby-security-ann/NAalCee8n6o Title: Possible XSS vulnerability in Rack Solution: upgrade to ~> 1.6.11, >= 2.0.6 ``` - Fix factory_bot issues - Closes #1225

The vulnerability message is below. In order to upgrade activejob, I had to upgrade Rails to version 5.1.6.1, which touched quite a few other gems. Name: activejob Version: 5.1.4 Advisory: CVE-2018-16476 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/FL4dSdzr2zw Title: Broken Access Control vulnerability in Active Job Solution: upgrade to ~> 4.2.11, ~> 5.0.7.1, ~> 5.1.6.1, >= 5.2.1.1 Name: loofah Version: 2.1.1 Advisory: CVE-2018-16468 Criticality: Unknown URL: flavorjones/loofah#154 Title: Loofah XSS Vulnerability Solution: upgrade to >= 2.2.3 Name: loofah Version: 2.1.1 Advisory: CVE-2018-8048 Criticality: Unknown URL: flavorjones/loofah#144 Title: Loofah XSS Vulnerability Solution: upgrade to >= 2.2.1 Name: nokogiri Version: 1.8.1 Advisory: CVE-2018-14404 Criticality: Unknown URL: sparklemotion/nokogiri#1785 Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities Solution: upgrade to >= 1.8.5 Name: nokogiri Version: 1.8.1 Advisory: CVE-2017-15412 Criticality: Unknown URL: sparklemotion/nokogiri#1714 Title: Nokogiri gem, via libxml, is affected by DoS vulnerabilities Solution: upgrade to >= 1.8.2 Name: nokogiri Version: 1.8.1 Advisory: CVE-2018-8048 Criticality: Unknown URL: sparklemotion/nokogiri#1746 Title: Revert libxml2 behavior in Nokogiri gem that could cause XSS Solution: upgrade to >= 1.8.3 Name: rack Version: 2.0.3 Advisory: CVE-2018-16471 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/ruby-security-ann/NAalCee8n6o Title: Possible XSS vulnerability in Rack Solution: upgrade to ~> 1.6.11, >= 2.0.6 Name: rails-html-sanitizer Version: 1.0.3 Advisory: CVE-2018-3741 Criticality: Unknown URL: https://groups.google.com/d/msg/rubyonrails-security/tP7W3kLc5u4/uDy2Br7xBgAJ Title: XSS vulnerability in rails-html-sanitizer Solution: upgrade to >= 1.0.4 Name: sprockets Version: 3.7.1 Advisory: CVE-2018-3760 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/ruby-security-ann/2S9Pwz2i16k Title: Path Traversal in Sprockets Solution: upgrade to < 3.0.0, >= 2.12.5, < 4.0.0, >= 3.7.2, >= 4.0.0.beta8

www/ruby-loofah: security update Revisions pulled up: - www/ruby-loofah/Makefile 1.5 - www/ruby-loofah/PLIST 1.4 - www/ruby-loofah/distinfo 1.5 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Thu Nov 1 16:11:45 UTC 2018 Modified Files: pkgsrc/www/ruby-loofah: Makefile PLIST distinfo Log Message: www/ruby-loofah: update to 2.2.3 ## 2.2.3 / 2018-10-30 ### Security Address CVE-2018-16468: Unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished. This CVE's public notice is at flavorjones/loofah#154 ## Meta / 2018-10-27 The mailing list is now on Google Groups [#146](flavorjones/loofah#146): * Mail: loofah-talk@googlegroups.com * Archive: https://groups.google.com/forum/#!forum/loofah-talk This change was made because librelist no longer appears to be maintained. To generate a diff of this commit: cvs rdiff -u -r1.4 -r1.5 pkgsrc/www/ruby-loofah/Makefile \ pkgsrc/www/ruby-loofah/distinfo cvs rdiff -u -r1.3 -r1.4 pkgsrc/www/ruby-loofah/PLIST

loofah Version: 2.2.2 Advisory: CVE-2018-16468 Criticality: Unknown URL: flavorjones/loofah#154 Title: Loofah XSS Vulnerability Solution: upgrade to >= 2.2.3

$ bundle exec bundle-audit check Name: actionview Version: 5.2.1 Advisory: CVE-2019-5419 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI Title: Denial of Service Vulnerability in Action View Solution: upgrade to >= 6.0.0.beta3, >= 5.2.2.1, ~> 5.2.2, >= 5.1.6.2, ~> 5.1.6, >= 5.0.7.2, ~> 5.0.7, >= 4.2.11.1, ~> 4.2.11 Name: actionview Version: 5.2.1 Advisory: CVE-2019-5418 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q Title: File Content Disclosure in Action View Solution: upgrade to >= 4.2.11.1, ~> 4.2.11, >= 5.0.7.2, ~> 5.0.7, >= 5.1.6.2, ~> 5.1.6, >= 5.2.2.1, ~> 5.2.2, >= 6.0.0.beta3 Name: activejob Version: 5.2.1 Advisory: CVE-2018-16476 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/FL4dSdzr2zw Title: Broken Access Control vulnerability in Active Job Solution: upgrade to ~> 4.2.11, ~> 5.0.7.1, ~> 5.1.6.1, ~> 5.1.7, >= 5.2.1.1 Name: activestorage Version: 5.2.1 Advisory: CVE-2018-16477 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/3KQRnXDIuLg Title: Bypass vulnerability in Active Storage Solution: upgrade to >= 5.2.1.1 Name: loofah Version: 2.2.2 Advisory: CVE-2018-16468 Criticality: Unknown URL: flavorjones/loofah#154 Title: Loofah XSS Vulnerability Solution: upgrade to >= 2.2.3 Name: nokogiri Version: 1.8.4 Advisory: CVE-2019-11068 Criticality: Unknown URL: sparklemotion/nokogiri#1892 Title: Nokogiri gem, via libxslt, is affected by improper access control vulnerability Solution: upgrade to >= 1.10.3 Name: nokogiri Version: 1.8.4 Advisory: CVE-2018-14404 Criticality: Unknown URL: sparklemotion/nokogiri#1785 Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities Solution: upgrade to >= 1.8.5 Name: rack Version: 2.0.5 Advisory: CVE-2018-16470 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/ruby-security-ann/Dz4sRl-ktKk Title: Possible DoS vulnerability in Rack Solution: upgrade to >= 2.0.6 Name: rack Version: 2.0.5 Advisory: CVE-2018-16471 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/ruby-security-ann/NAalCee8n6o Title: Possible XSS vulnerability in Rack Solution: upgrade to ~> 1.6.11, >= 2.0.6 Name: railties Version: 5.2.1 Advisory: CVE-2019-5420 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/IsQKvDqZdKw Title: Possible Remote Code Execution Exploit in Rails Development Mode Solution: upgrade to >= 5.2.2.1, ~> 5.2.2, >= 6.0.0.beta3 Vulnerabilities found!

As reported by `bundler-audit`: Name: loofah Version: 2.2.1 Advisory: CVE-2018-16468 Criticality: Unknown URL: flavorjones/loofah#154 Title: Loofah XSS Vulnerability Solution: upgrade to >= 2.2.3

- Fix some vulnerabilities ``` Name: loofah Version: 2.2.2 Advisory: CVE-2018-16468 Criticality: Unknown URL: flavorjones/loofah#154 Title: Loofah XSS Vulnerability Solution: upgrade to >= 2.2.3 Name: nokogiri Version: 1.8.4 Advisory: CVE-2018-14404 Criticality: Unknown URL: sparklemotion/nokogiri#1785 Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities Solution: upgrade to >= 1.8.5 Name: rack Version: 2.0.5 Advisory: CVE-2018-16470 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/ruby-security-ann/Dz4sRl-ktKk Title: Possible DoS vulnerability in Rack Solution: upgrade to >= 2.0.6 Name: rack Version: 2.0.5 Advisory: CVE-2018-16471 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/ruby-security-ann/NAalCee8n6o Title: Possible XSS vulnerability in Rack Solution: upgrade to ~> 1.6.11, >= 2.0.6 ``` - Fix factory_bot issues - Closes #1225

www/ruby-loofah: security update Revisions pulled up: - www/ruby-loofah/Makefile 1.5 - www/ruby-loofah/PLIST 1.4 - www/ruby-loofah/distinfo 1.5 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Thu Nov 1 16:11:45 UTC 2018 Modified Files: pkgsrc/www/ruby-loofah: Makefile PLIST distinfo Log Message: www/ruby-loofah: update to 2.2.3 ## 2.2.3 / 2018-10-30 ### Security Address CVE-2018-16468: Unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished. This CVE's public notice is at flavorjones/loofah#154 ## Meta / 2018-10-27 The mailing list is now on Google Groups [#146](flavorjones/loofah#146): * Mail: loofah-talk@googlegroups.com * Archive: https://groups.google.com/forum/#!forum/loofah-talk This change was made because librelist no longer appears to be maintained. To generate a diff of this commit: cvs rdiff -u -r1.4 -r1.5 pkgsrc/www/ruby-loofah/Makefile \ pkgsrc/www/ruby-loofah/distinfo cvs rdiff -u -r1.3 -r1.4 pkgsrc/www/ruby-loofah/PLIST

* Update Loofah to mitigate CVE-2018-16468 (See flavorjones/loofah#154 for details) * Update rake to mitigate CVE-2018-16471 * Update locked gems

www/ruby-loofah: security update Revisions pulled up: - www/ruby-loofah/Makefile 1.5 - www/ruby-loofah/PLIST 1.4 - www/ruby-loofah/distinfo 1.5 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Thu Nov 1 16:11:45 UTC 2018 Modified Files: pkgsrc/www/ruby-loofah: Makefile PLIST distinfo Log Message: www/ruby-loofah: update to 2.2.3 ## 2.2.3 / 2018-10-30 ### Security Address CVE-2018-16468: Unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished. This CVE's public notice is at flavorjones/loofah#154 ## Meta / 2018-10-27 The mailing list is now on Google Groups [#146](flavorjones/loofah#146): * Mail: loofah-talk@googlegroups.com * Archive: https://groups.google.com/forum/#!forum/loofah-talk This change was made because librelist no longer appears to be maintained. To generate a diff of this commit: cvs rdiff -u -r1.4 -r1.5 pkgsrc/www/ruby-loofah/Makefile \ pkgsrc/www/ruby-loofah/distinfo cvs rdiff -u -r1.3 -r1.4 pkgsrc/www/ruby-loofah/PLIST

Name: actionpack Version: 5.1.4 Advisory: CVE-2020-8166 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/NOjKiGeXUgw Title: Ability to forge per-form CSRF tokens given a global CSRF token Solution: upgrade to ~> 5.2.4.3, >= 6.0.3.1 Name: actionpack Version: 5.1.4 Advisory: CVE-2020-8164 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/f6ioe4sdpbY Title: Possible Strong Parameters Bypass in ActionPack Solution: upgrade to ~> 5.2.4.3, >= 6.0.3.1 Name: actionview Version: 5.1.4 Advisory: CVE-2020-15169 Criticality: Unknown URL: https://groups.google.com/g/rubyonrails-security/c/b-C9kSGXYrc Title: Potential XSS vulnerability in Action View Solution: upgrade to ~> 5.2.4, >= 5.2.4.4, >= 6.0.3.3 Name: actionview Version: 5.1.4 Advisory: CVE-2020-8167 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/x9DixQDG9a0 Title: CSRF Vulnerability in rails-ujs Solution: upgrade to ~> 5.2.4.3, >= 6.0.3.1 Name: actionview Version: 5.1.4 Advisory: CVE-2019-5418 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q Title: File Content Disclosure in Action View Solution: upgrade to ~> 4.2.11, >= 4.2.11.1, ~> 5.0.7, >= 5.0.7.2, ~> 5.1.6, >= 5.1.6.2, ~> 5.2.2, >= 5.2.2.1, >= 6.0.0.beta3 Name: actionview Version: 5.1.4 Advisory: CVE-2020-5267 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/55reWMM_Pg8 Title: Possible XSS vulnerability in ActionView Solution: upgrade to ~> 5.2.4, >= 5.2.4.2, >= 6.0.2.2 Name: actionview Version: 5.1.4 Advisory: CVE-2019-5419 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI Title: Denial of Service Vulnerability in Action View Solution: upgrade to >= 6.0.0.beta3, ~> 5.2.2, >= 5.2.2.1, ~> 5.1.6, >= 5.1.6.2, ~> 5.0.7, >= 5.0.7.2, ~> 4.2.11, >= 4.2.11.1 Name: activejob Version: 5.1.4 Advisory: CVE-2018-16476 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/FL4dSdzr2zw Title: Broken Access Control vulnerability in Active Job Solution: upgrade to ~> 4.2.11, ~> 5.0.7.1, ~> 5.1.6.1, ~> 5.1.7, >= 5.2.1.1 Name: activesupport Version: 5.1.4 Advisory: CVE-2020-8165 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/bv6fW4S0Y1c Title: Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore Solution: upgrade to ~> 5.2.4.3, >= 6.0.3.1 Name: ffi Version: 1.9.18 Advisory: CVE-2018-1000201 Criticality: High URL: https://github.com/ffi/ffi/releases/tag/1.9.24 Title: ruby-ffi DDL loading issue on Windows OS Solution: upgrade to >= 1.9.24 Name: jquery-rails Version: 4.3.1 Advisory: CVE-2019-11358 Criticality: Medium URL: https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ Title: Prototype pollution attack through jQuery $.extend Solution: upgrade to >= 4.3.4 Name: loofah Version: 2.1.1 Advisory: CVE-2018-8048 Criticality: Unknown URL: flavorjones/loofah#144 Title: Loofah XSS Vulnerability Solution: upgrade to >= 2.2.1 Name: loofah Version: 2.1.1 Advisory: CVE-2018-16468 Criticality: Medium URL: flavorjones/loofah#154 Title: Loofah XSS Vulnerability Solution: upgrade to >= 2.2.3 Name: loofah Version: 2.1.1 Advisory: CVE-2019-15587 Criticality: Medium URL: flavorjones/loofah#171 Title: Loofah XSS Vulnerability Solution: upgrade to >= 2.3.1 Name: nokogiri Version: 1.8.1 Advisory: CVE-2017-15412 Criticality: Unknown URL: sparklemotion/nokogiri#1714 Title: Nokogiri gem, via libxml, is affected by DoS vulnerabilities Solution: upgrade to >= 1.8.2 Name: nokogiri Version: 1.8.1 Advisory: CVE-2018-8048 Criticality: Unknown URL: sparklemotion/nokogiri#1746 Title: Revert libxml2 behavior in Nokogiri gem that could cause XSS Solution: upgrade to >= 1.8.3 Name: nokogiri Version: 1.8.1 Advisory: CVE-2020-26247 Criticality: Low URL: GHSA-vr8q-g5c7-m54m Title: Nokogiri::XML::Schema trusts input by default, exposing risk of an XXE vulnerability Solution: upgrade to >= 1.11.0.rc4 Name: nokogiri Version: 1.8.1 Advisory: CVE-2018-14404 Criticality: Unknown URL: sparklemotion/nokogiri#1785 Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities Solution: upgrade to >= 1.8.5 Name: nokogiri Version: 1.8.1 Advisory: CVE-2019-11068 Criticality: Unknown URL: sparklemotion/nokogiri#1892 Title: Nokogiri gem, via libxslt, is affected by improper access control vulnerability Solution: upgrade to >= 1.10.3 Name: nokogiri Version: 1.8.1 Advisory: CVE-2020-7595 Criticality: High URL: sparklemotion/nokogiri#1992 Title: libxml2 2.9.10 has an infinite loop in a certain end-of-file situation Solution: upgrade to >= 1.10.8 Name: nokogiri Version: 1.8.1 Advisory: CVE-2019-5477 Criticality: Critical URL: sparklemotion/nokogiri#1915 Title: Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file Solution: upgrade to >= 1.10.4 Name: nokogiri Version: 1.8.1 Advisory: CVE-2019-13117 Criticality: Unknown URL: sparklemotion/nokogiri#1943 Title: Nokogiri gem, via libxslt, is affected by multiple vulnerabilities Solution: upgrade to >= 1.10.5 Name: rack Version: 2.0.8 Advisory: CVE-2020-8161 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/ruby-security-ann/T4ZIsfRf2eA Title: Directory traversal in Rack::Directory app bundled with Rack Solution: upgrade to ~> 2.1.3, >= 2.2.0 Name: rack Version: 2.0.8 Advisory: CVE-2020-8184 Criticality: Unknown URL: https://groups.google.com/g/rubyonrails-security/c/OWtmozPH9Ak Title: Percent-encoded cookies can be used to overwrite existing prefixed cookie names Solution: upgrade to ~> 2.1.4, >= 2.2.3 Name: rails-html-sanitizer Version: 1.0.3 Advisory: CVE-2018-3741 Criticality: Unknown URL: https://groups.google.com/d/msg/rubyonrails-security/tP7W3kLc5u4/uDy2Br7xBgAJ Title: XSS vulnerability in rails-html-sanitizer Solution: upgrade to >= 1.0.4 Name: sprockets Version: 3.7.1 Advisory: CVE-2018-3760 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/ruby-security-ann/2S9Pwz2i16k Title: Path Traversal in Sprockets Solution: upgrade to >= 2.12.5, < 3.0.0, >= 3.7.2, < 4.0.0, >= 4.0.0.beta8

www/ruby-loofah: security update Revisions pulled up: - www/ruby-loofah/Makefile 1.5 - www/ruby-loofah/PLIST 1.4 - www/ruby-loofah/distinfo 1.5 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Thu Nov 1 16:11:45 UTC 2018 Modified Files: pkgsrc/www/ruby-loofah: Makefile PLIST distinfo Log Message: www/ruby-loofah: update to 2.2.3 ## 2.2.3 / 2018-10-30 ### Security Address CVE-2018-16468: Unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished. This CVE's public notice is at flavorjones/loofah#154 ## Meta / 2018-10-27 The mailing list is now on Google Groups [#146](flavorjones/loofah#146): * Mail: loofah-talk@googlegroups.com * Archive: https://groups.google.com/forum/#!forum/loofah-talk This change was made because librelist no longer appears to be maintained. To generate a diff of this commit: cvs rdiff -u -r1.4 -r1.5 pkgsrc/www/ruby-loofah/Makefile \ pkgsrc/www/ruby-loofah/distinfo cvs rdiff -u -r1.3 -r1.4 pkgsrc/www/ruby-loofah/PLIST

Numerous CVEs found: Name: loofah Version: 2.2.2 Advisory: CVE-2018-16468 Criticality: Unknown URL: flavorjones/loofah#154 Title: Loofah XSS Vulnerability Solution: upgrade to >= 2.2.3 Name: nokogiri Version: 1.8.4 Advisory: CVE-2018-14404 Criticality: Unknown URL: sparklemotion/nokogiri#1785 Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities Solution: upgrade to >= 1.8.5 Name: rack Version: 2.0.5 Advisory: CVE-2018-16470 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/ruby-security-ann/Dz4sRl-ktKk Title: Possible DoS vulnerability in Rack Solution: upgrade to >= 2.0.6 Name: rack Version: 2.0.5 Advisory: CVE-2018-16471 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/ruby-security-ann/NAalCee8n6o Title: Possible XSS vulnerability in Rack Solution: upgrade to ~> 1.6.11, >= 2.0.6

…VEs) It found the following 53 vulnerabilities: Name: actionpack Version: 5.1.4 Advisory: CVE-2021-22885 Criticality: High URL: https://groups.google.com/g/rubyonrails-security/c/NiQl-48cXYI Title: Possible Information Disclosure / Unintended Method Execution in Action Pack Solution: upgrade to ~> 5.2.4.6, ~> 5.2.6, ~> 6.0.3, >= 6.0.3.7, >= 6.1.3.2 Name: actionpack Version: 5.1.4 Advisory: CVE-2020-8166 Criticality: Medium URL: https://groups.google.com/forum/#!topic/rubyonrails-security/NOjKiGeXUgw Title: Ability to forge per-form CSRF tokens given a global CSRF token Solution: upgrade to ~> 5.2.4, >= 5.2.4.3, >= 6.0.3.1 Name: actionpack Version: 5.1.4 Advisory: CVE-2020-8164 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/f6ioe4sdpbY Title: Possible Strong Parameters Bypass in ActionPack Solution: upgrade to ~> 5.2.4, >= 5.2.4.3, >= 6.0.3.1 Name: actionpack Version: 5.1.4 Advisory: CVE-2021-22904 Criticality: High URL: https://groups.google.com/g/rubyonrails-security/c/Pf1TjkOBdyQ Title: Possible DoS Vulnerability in Action Controller Token Authentication Solution: upgrade to ~> 5.2.4.6, ~> 5.2.6, ~> 6.0.3, >= 6.0.3.7, >= 6.1.3.2 Name: actionpack Version: 5.1.4 Advisory: CVE-2022-23633 Criticality: High URL: https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ Title: Possible exposure of information vulnerability in Action Pack Solution: upgrade to ~> 5.2.6, >= 5.2.6.2, ~> 6.0.4, >= 6.0.4.6, ~> 6.1.4, >= 6.1.4.6, >= 7.0.2.2 Name: actionview Version: 5.1.4 Advisory: CVE-2020-15169 Criticality: Medium URL: https://groups.google.com/g/rubyonrails-security/c/b-C9kSGXYrc Title: Potential XSS vulnerability in Action View Solution: upgrade to ~> 5.2.4, >= 5.2.4.4, >= 6.0.3.3 Name: actionview Version: 5.1.4 Advisory: CVE-2020-5267 Criticality: Medium URL: https://groups.google.com/forum/#!topic/rubyonrails-security/55reWMM_Pg8 Title: Possible XSS vulnerability in ActionView Solution: upgrade to ~> 5.2.4, >= 5.2.4.2, >= 6.0.2.2 Name: actionview Version: 5.1.4 Advisory: CVE-2020-8167 Criticality: Medium URL: https://groups.google.com/forum/#!topic/rubyonrails-security/x9DixQDG9a0 Title: CSRF Vulnerability in rails-ujs Solution: upgrade to ~> 5.2.4, >= 5.2.4.3, >= 6.0.3.1 Name: actionview Version: 5.1.4 Advisory: CVE-2019-5419 Criticality: High URL: https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI Title: Denial of Service Vulnerability in Action View Solution: upgrade to >= 6.0.0.beta3, ~> 5.2.2, >= 5.2.2.1, ~> 5.1.6, >= 5.1.6.2, ~> 5.0.7, >= 5.0.7.2, ~> 4.2.11, >= 4.2.11.1 Name: actionview Version: 5.1.4 Advisory: CVE-2019-5418 Criticality: High URL: https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q Title: File Content Disclosure in Action View Solution: upgrade to ~> 4.2.11, >= 4.2.11.1, ~> 5.0.7, >= 5.0.7.2, ~> 5.1.6, >= 5.1.6.2, ~> 5.2.2, >= 5.2.2.1, >= 6.0.0.beta3 Name: activejob Version: 5.1.4 Advisory: CVE-2018-16476 Criticality: High URL: https://groups.google.com/forum/#!topic/rubyonrails-security/FL4dSdzr2zw Title: Broken Access Control vulnerability in Active Job Solution: upgrade to ~> 4.2.11, ~> 5.0.7.1, ~> 5.1.6.1, ~> 5.1.7, >= 5.2.1.1 Name: activerecord Version: 5.1.4 Advisory: CVE-2021-22880 Criticality: Medium URL: https://groups.google.com/g/rubyonrails-security/c/ZzUqCh9vyhI Title: Possible DoS Vulnerability in Active Record PostgreSQL adapter Solution: upgrade to ~> 5.2.4, >= 5.2.4.5, ~> 6.0.3, >= 6.0.3.5, >= 6.1.2.1 Name: activesupport Version: 5.1.4 Advisory: CVE-2020-8165 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/bv6fW4S0Y1c Title: Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore Solution: upgrade to ~> 5.2.4, >= 5.2.4.3, >= 6.0.3.1 Name: addressable Version: 2.5.2 Advisory: CVE-2021-32740 Criticality: High URL: GHSA-jxhc-q857-3j6g Title: Regular Expression Denial of Service in Addressable templates Solution: upgrade to >= 2.8.0 Name: carrierwave Version: 1.2.1 Advisory: CVE-2021-21288 Criticality: Medium URL: GHSA-fwcm-636p-68r5 Title: Server-side request forgery in CarrierWave Solution: upgrade to ~> 1.3.2, >= 2.1.1 Name: carrierwave Version: 1.2.1 Advisory: CVE-2021-21305 Criticality: High URL: GHSA-cf3w-g86h-35x4 Title: Code Injection vulnerability in CarrierWave::RMagick Solution: upgrade to ~> 1.3.2, >= 2.1.1 Name: ffi Version: 1.9.18 Advisory: CVE-2018-1000201 Criticality: High URL: https://github.com/ffi/ffi/releases/tag/1.9.24 Title: ruby-ffi DDL loading issue on Windows OS Solution: upgrade to >= 1.9.24 Name: jquery-rails Version: 4.3.1 Advisory: CVE-2020-11023 Criticality: Medium URL: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released Title: Potential XSS vulnerability in jQuery Solution: upgrade to >= 4.4.0 Name: jquery-rails Version: 4.3.1 Advisory: CVE-2019-11358 Criticality: Medium URL: https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ Title: Prototype pollution attack through jQuery $.extend Solution: upgrade to >= 4.3.4 Name: jquery-ui-rails Version: 5.0.5 Advisory: CVE-2016-7103 Criticality: Medium URL: jquery/api.jqueryui.com#281 Title: XSS Vulnerability on closeText option of Dialog jQuery UI Solution: upgrade to >= 6.0.0 Name: kaminari Version: 1.1.1 Advisory: CVE-2020-11082 Criticality: Medium URL: GHSA-r5jw-62xg-j433 Title: Cross-Site Scripting in Kaminari via `original_script_name` parameter Solution: upgrade to >= 1.2.1 Name: loofah Version: 2.1.1 Advisory: CVE-2019-15587 Criticality: Medium URL: flavorjones/loofah#171 Title: Loofah XSS Vulnerability Solution: upgrade to >= 2.3.1 Name: loofah Version: 2.1.1 Advisory: CVE-2018-16468 Criticality: Medium URL: flavorjones/loofah#154 Title: Loofah XSS Vulnerability Solution: upgrade to >= 2.2.3 Name: loofah Version: 2.1.1 Advisory: CVE-2018-8048 Criticality: Medium URL: flavorjones/loofah#144 Title: Loofah XSS Vulnerability Solution: upgrade to >= 2.2.1 Name: mini_magick Version: 4.8.0 Advisory: CVE-2019-13574 Criticality: High URL: https://benjamin-bouchet.com/blog/vulnerabilite-dans-la-gem-mini_magick-version-4-9-4/ Title: Remote command execution via filename Solution: upgrade to >= 4.9.4 Name: nokogiri Version: 1.8.1 Advisory: CVE-2019-5477 Criticality: Critical URL: sparklemotion/nokogiri#1915 Title: Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file Solution: upgrade to >= 1.10.4 Name: nokogiri Version: 1.8.1 Advisory: CVE-2021-41098 Criticality: High URL: GHSA-2rr5-8q37-2w7h Title: Improper Restriction of XML External Entity Reference (XXE) in Nokogiri on JRuby Solution: upgrade to >= 1.12.5 Name: nokogiri Version: 1.8.1 Advisory: CVE-2019-11068 Criticality: Unknown URL: sparklemotion/nokogiri#1892 Title: Nokogiri gem, via libxslt, is affected by improper access control vulnerability Solution: upgrade to >= 1.10.3 Name: nokogiri Version: 1.8.1 Advisory: CVE-2018-14404 Criticality: High URL: sparklemotion/nokogiri#1785 Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities Solution: upgrade to >= 1.8.5 Name: nokogiri Version: 1.8.1 Advisory: CVE-2017-15412 Criticality: Unknown URL: sparklemotion/nokogiri#1714 Title: Nokogiri gem, via libxml, is affected by DoS vulnerabilities Solution: upgrade to >= 1.8.2 Name: nokogiri Version: 1.8.1 Advisory: CVE-2022-24839 Criticality: High URL: GHSA-9849-p7jc-9rmv Title: Denial of Service (DoS) in Nokogiri on JRuby Solution: upgrade to >= 1.13.4 Name: nokogiri Version: 1.8.1 Advisory: CVE-2022-23437 Criticality: Medium URL: GHSA-xxx9-3xcr-gjj3 Title: XML Injection in Xerces Java affects Nokogiri Solution: upgrade to >= 1.13.4 Name: nokogiri Version: 1.8.1 Advisory: CVE-2021-30560 Criticality: High URL: GHSA-fq42-c5rg-92c2 Title: Update packaged libxml2 (2.9.12 → 2.9.13) and libxslt (1.1.34 → 1.1.35) Solution: upgrade to >= 1.13.2 Name: nokogiri Version: 1.8.1 Advisory: GHSA-7rrm-v45f-jp64 Criticality: High URL: GHSA-7rrm-v45f-jp64 Title: Update packaged dependency libxml2 from 2.9.10 to 2.9.12 Solution: upgrade to >= 1.11.4 Name: nokogiri Version: 1.8.1 Advisory: CVE-2018-25032 Criticality: High URL: GHSA-v6gp-9mmm-c6p5 Title: Out-of-bounds Write in zlib affects Nokogiri Solution: upgrade to >= 1.13.4 Name: nokogiri Version: 1.8.1 Advisory: CVE-2018-8048 Criticality: Unknown URL: sparklemotion/nokogiri#1746 Title: Revert libxml2 behavior in Nokogiri gem that could cause XSS Solution: upgrade to >= 1.8.3 Name: nokogiri Version: 1.8.1 Advisory: CVE-2020-7595 Criticality: High URL: sparklemotion/nokogiri#1992 Title: libxml2 2.9.10 has an infinite loop in a certain end-of-file situation Solution: upgrade to >= 1.10.8 Name: nokogiri Version: 1.8.1 Advisory: CVE-2019-13117 Criticality: Unknown URL: sparklemotion/nokogiri#1943 Title: Nokogiri gem, via libxslt, is affected by multiple vulnerabilities Solution: upgrade to >= 1.10.5 Name: nokogiri Version: 1.8.1 Advisory: CVE-2022-24836 Criticality: High URL: GHSA-crjr-9rc5-ghw8 Title: Inefficient Regular Expression Complexity in Nokogiri Solution: upgrade to >= 1.13.4 Name: nokogiri Version: 1.8.1 Advisory: CVE-2020-26247 Criticality: Low URL: GHSA-vr8q-g5c7-m54m Title: Nokogiri::XML::Schema trusts input by default, exposing risk of an XXE vulnerability Solution: upgrade to >= 1.11.0.rc4 Name: puma Version: 4.3.3 Advisory: CVE-2021-29509 Criticality: High URL: GHSA-q28m-8xjw-8vr5 Title: Keepalive Connections Causing Denial Of Service in puma Solution: upgrade to ~> 4.3.8, >= 5.3.1 Name: puma Version: 4.3.3 Advisory: CVE-2022-24790 Criticality: Critical URL: GHSA-h99w-9q5r-gjq9 Title: HTTP Request Smuggling in puma Solution: upgrade to ~> 4.3.12, >= 5.6.4 Name: puma Version: 4.3.3 Advisory: CVE-2020-11076 Criticality: High URL: GHSA-x7jg-6pwg-fx5h Title: HTTP Smuggling via Transfer-Encoding Header in Puma Solution: upgrade to ~> 3.12.5, >= 4.3.4 Name: puma Version: 4.3.3 Advisory: CVE-2020-11077 Criticality: Medium URL: GHSA-w64w-qqph-5gxm Title: HTTP Smuggling via Transfer-Encoding Header in Puma Solution: upgrade to ~> 3.12.6, >= 4.3.5 Name: puma Version: 4.3.3 Advisory: CVE-2022-23634 Criticality: High URL: GHSA-rmj8-8hhh-gv5h Title: Information Exposure with Puma when used with Rails Solution: upgrade to ~> 4.3.11, >= 5.6.2 Name: puma Version: 4.3.3 Advisory: CVE-2021-41136 Criticality: Low URL: GHSA-48w2-rm65-62xx Title: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') in puma Solution: upgrade to ~> 4.3.9, >= 5.5.1 Name: rack Version: 2.2.2 Advisory: CVE-2020-8184 Criticality: Unknown URL: https://groups.google.com/g/rubyonrails-security/c/OWtmozPH9Ak Title: Percent-encoded cookies can be used to overwrite existing prefixed cookie names Solution: upgrade to ~> 2.1.4, >= 2.2.3 Name: rails-html-sanitizer Version: 1.0.3 Advisory: CVE-2018-3741 Criticality: Unknown URL: https://groups.google.com/d/msg/rubyonrails-security/tP7W3kLc5u4/uDy2Br7xBgAJ Title: XSS vulnerability in rails-html-sanitizer Solution: upgrade to >= 1.0.4 Name: rails_admin Version: 1.2.0 Advisory: CVE-2020-36190 Criticality: Medium URL: railsadminteam/rails_admin@d72090e Title: rails_admin ruby gem XSS vulnerability Solution: upgrade to ~> 1.4.3, >= 2.0.2 Name: rails_admin Version: 1.2.0 Advisory: CVE-2017-12098 Criticality: Medium URL: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0450 Title: rails_admin ruby gem XSS vulnerability Solution: upgrade to >= 1.3.0 Name: rake Version: 12.3.0 Advisory: CVE-2020-8130 Criticality: High URL: GHSA-jppv-gw3r-w3q8 Title: OS Command Injection in Rake Solution: upgrade to >= 12.3.3 Name: redcarpet Version: 3.4.0 Advisory: CVE-2020-26298 Criticality: Medium URL: vmg/redcarpet@a699c82 Title: Injection/XSS in Redcarpet Solution: upgrade to >= 3.5.1 Name: websocket-extensions Version: 0.1.3 Advisory: CVE-2020-7663 Criticality: High URL: GHSA-g6wq-qcwm-j5g2 Title: Regular Expression Denial of Service in websocket-extensions (RubyGem) Solution: upgrade to >= 0.1.5

- Fix some vulnerabilities ``` Name: loofah Version: 2.2.2 Advisory: CVE-2018-16468 Criticality: Unknown URL: flavorjones/loofah#154 Title: Loofah XSS Vulnerability Solution: upgrade to >= 2.2.3 Name: nokogiri Version: 1.8.4 Advisory: CVE-2018-14404 Criticality: Unknown URL: sparklemotion/nokogiri#1785 Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities Solution: upgrade to >= 1.8.5 Name: rack Version: 2.0.5 Advisory: CVE-2018-16470 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/ruby-security-ann/Dz4sRl-ktKk Title: Possible DoS vulnerability in Rack Solution: upgrade to >= 2.0.6 Name: rack Version: 2.0.5 Advisory: CVE-2018-16471 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/ruby-security-ann/NAalCee8n6o Title: Possible XSS vulnerability in Rack Solution: upgrade to ~> 1.6.11, >= 2.0.6 ``` - Fix factory_bot issues - Closes #1225

www/ruby-loofah: security update Revisions pulled up: - www/ruby-loofah/Makefile 1.5 - www/ruby-loofah/PLIST 1.4 - www/ruby-loofah/distinfo 1.5 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Thu Nov 1 16:11:45 UTC 2018 Modified Files: pkgsrc/www/ruby-loofah: Makefile PLIST distinfo Log Message: www/ruby-loofah: update to 2.2.3 ## 2.2.3 / 2018-10-30 ### Security Address CVE-2018-16468: Unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished. This CVE's public notice is at flavorjones/loofah#154 ## Meta / 2018-10-27 The mailing list is now on Google Groups [#146](flavorjones/loofah#146): * Mail: loofah-talk@googlegroups.com * Archive: https://groups.google.com/forum/#!forum/loofah-talk This change was made because librelist no longer appears to be maintained. To generate a diff of this commit: cvs rdiff -u -r1.4 -r1.5 pkgsrc/www/ruby-loofah/Makefile \ pkgsrc/www/ruby-loofah/distinfo cvs rdiff -u -r1.3 -r1.4 pkgsrc/www/ruby-loofah/PLIST

flavorjones added the security label Oct 27, 2018

flavorjones changed the title ~~placeholder - security vulnerability~~ placeholder - embargoed security vulnerability Oct 28, 2018

flavorjones added a commit that referenced this issue Oct 30, 2018

remove the svg animate attribute from from the allowlist

71e4b54

this addresses CVE-2018-16468 see #154 for more information #154

flavorjones changed the title ~~placeholder - embargoed security vulnerability~~ CVE-2018-16468 - Loofah XSS Vulnerability Oct 30, 2018

greysteil mentioned this issue Oct 30, 2018

Add CVE-2018-16468 rubysec/ruby-advisory-db#363

Merged

flavorjones added a commit that referenced this issue Oct 30, 2018

remove the svg animate attribute from from the allowlist

be0fd3a

this addresses CVE-2018-16468 see #154 for more information #154

floehopper added a commit to Crown-Commercial-Service/crown-marketplace that referenced this issue Oct 30, 2018

Update loofah from v2.2.2 -> v2.2.3 to fix security vulnerability

e560aeb

This fixes CVE-2018-16468 [1]. [1]: flavorjones/loofah#154

albertoalmagro mentioned this issue Oct 30, 2018

Update Loofah to 2.2.3 rails/rails#34350

Closed

flavorjones closed this as completed Oct 30, 2018

chrishunt pushed a commit to codecation/trailmix that referenced this issue Oct 30, 2018

Update loofah gem

8aa544f

Fixes CVE-2018-16468: flavorjones/loofah#154

chrishunt mentioned this issue Oct 30, 2018

[CVE-2018-16468] Update loofah gem codecation/trailmix#175

Merged

kaspergrubbe added a commit to kaspergrubbe/rails-html-sanitizer that referenced this issue Oct 31, 2018

Use Loofah 2.2.3 to address CVE-2018-16468

f9be18f

More info at flavorjones/loofah#154

kaspergrubbe mentioned this issue Oct 31, 2018

Use Loofah 2.2.3 to address CVE-2018-16468 rails/rails-html-sanitizer#74

Closed

annaswims added a commit to department-of-veterans-affairs/vets-api that referenced this issue Oct 31, 2018

update loofah gem to address CVE

9e7ac95

CVE-2018-16468 - Loofah XSS Vulnerability flavorjones/loofah#154

annaswims mentioned this issue Oct 31, 2018

Update loofah gem to address CVE department-of-veterans-affairs/vets-api#2409

Merged

5 tasks

DarthHater mentioned this issue Oct 31, 2018

Update Loofah DARIAEngineering/dcaf_case_management#1521

Merged

dylanpinn mentioned this issue Oct 31, 2018

Fix CVE - Bump loofah dependency rails/rails-html-sanitizer#75

Closed

motiko mentioned this issue Oct 31, 2018

Upgrade loofah dependency to 2.2.3 rails/rails-html-sanitizer#76

Closed

adrianotadao mentioned this issue Oct 31, 2018

Upgrading Loofah gem version [xss-vulnerability on version 2.2.2] rails/rails-html-sanitizer#77

Closed

This was referenced Oct 31, 2018

Update asset structure with webpacker gem DMPRoadmap/roadmap#1962

Merged

updated README release section and updated gem dependencies DMPRoadmap/roadmap#1975

Closed

robbkidd mentioned this issue Oct 31, 2018

upgrade loofah to 2.2.3 chef/supermarket#1778

Merged

joshpencheon mentioned this issue Nov 1, 2018

Update minimum Loofah dependency to 2.2.3 rails/rails-html-sanitizer#78

Closed

cdccollins added a commit to LBHackney-IT/repairs-management that referenced this issue Nov 1, 2018

Update Gemfile.lock for security purposes

e2dc2f2

The loofah gem < 2.2.3 is a security risk, so have updated it to 2.2.3, as well as the other gems. See flavorjones/loofah#154

cdccollins mentioned this issue Nov 1, 2018

Update Gemfile.lock for security purposes LBHackney-IT/repairs-management#111

Closed

ramontayag added a commit to bloom-solutions/crypto-cold-store that referenced this issue Nov 15, 2018

Upgrade loofah

fad1998

Fix flavorjones/loofah#154

antw added a commit to quintel/etmodel that referenced this issue Nov 20, 2018

Update Loofah to 2.2.3

7f047b6

flavorjones/loofah#154

antw added a commit to quintel/etengine that referenced this issue Nov 20, 2018

Update Loofah to 2.2.3

4559408

flavorjones/loofah#154

antw added a commit to quintel/etengine that referenced this issue Nov 20, 2018

Update Loofah to 2.2.3

29a64fc

flavorjones/loofah#154

ozzyaaron mentioned this issue Nov 27, 2018

Security updates interexchange/campminder-rb#29

Merged

azul pushed a commit to riseuplabs/crabgrass-core that referenced this issue May 29, 2019

Fix: Update loofah

4eb1337

loofah Version: 2.2.2 Advisory: CVE-2018-16468 Criticality: Unknown URL: flavorjones/loofah#154 Title: Loofah XSS Vulnerability Solution: upgrade to >= 2.2.3

flavorjones mentioned this issue Nov 26, 2019

explore using DOMPurify's allowlists #155

Open

7 tasks

MartinGantenbein pushed a commit to MartinGantenbein/hitobito that referenced this issue Mar 22, 2020

Vulnerable Gem updates

cd5cb94

* Update Loofah to mitigate CVE-2018-16468 (See flavorjones/loofah#154 for details) * Update rake to mitigate CVE-2018-16471 * Update locked gems

MartinGantenbein pushed a commit to MartinGantenbein/hitobito that referenced this issue Mar 22, 2020

Vulnerable Gem updates

7d0a6c2

* Update Loofah to mitigate CVE-2018-16468 (See flavorjones/loofah#154 for details) * Update rake to mitigate CVE-2018-16471 * Update locked gems

AdrianCann mentioned this issue Oct 10, 2020

Update gems to fix all the CVEs sophomoric/secret#96

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CVE-2018-16468 - Loofah XSS Vulnerability #154

CVE-2018-16468 - Loofah XSS Vulnerability #154

flavorjones commented Oct 27, 2018 •

edited

Loading

flavorjones commented Oct 30, 2018

flavorjones commented Oct 30, 2018

CVE-2018-16468 - Loofah XSS Vulnerability #154

CVE-2018-16468 - Loofah XSS Vulnerability #154

Comments

flavorjones commented Oct 27, 2018 • edited Loading

CVE-2018-16468 - Loofah XSS Vulnerability

Severity

Description

Affected Versions

Mitigation

References

History of this public disclosure

flavorjones commented Oct 30, 2018

flavorjones commented Oct 30, 2018

flavorjones commented Oct 27, 2018 •

edited

Loading