Ruby/loofah/2.1.0

Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri.

Loofah also includes some HTML sanitizers based on html5lib's safelist, which are a specific application of the general transformation functionality.

Repo Link: https://rubygems.org/gems/loofah
License: MIT

10 Security Vulnerabilities

Improper neutralization of data URIs may allow XSS in Loofah

Published date: 2022-12-13T17:39:36Z

CVE: CVE-2022-23515

Links:

Summary

Loofah >= 2.1.0, < 2.19.1 is vulnerable to cross-site scripting via the image/svg+xml media type in data URIs.

Mitigation

Upgrade to Loofah >= 2.19.1.

Severity

The Loofah maintainers have evaluated this as Medium Severity 6.1.

References

Credit

This vulnerability was responsibly reported by Maciej Piechota (@haqpl).

Affected versions: ["2.7.0", "2.6.0", "2.5.0", "2.4.0", "2.3.1", "2.3.0", "2.2.3", "2.2.2", "2.2.1", "2.2.0", "2.1.1", "2.1.0", "2.8.0", "2.9.0", "2.9.1", "2.10.0", "2.11.0", "2.12.0", "2.13.0", "2.14.0", "2.15.0", "2.16.0", "2.17.0", "2.18.0", "2.19.0"]

Secure versions: [2.19.1, 2.21.0.rc1, 2.20.0, 2.21.1, 2.21.0, 2.21.2, 2.21.3, 2.21.4, 2.22.0, 2.23.0, 2.23.1, 2.24.0]

Recommendation: Update to version 2.24.0.

Inefficient Regular Expression Complexity in Loofah

Published date: 2022-12-13T17:36:28Z

CVE: CVE-2022-23514

Links:

Summary

Loofah < 2.19.1 contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption.

Mitigation

Upgrade to Loofah >= 2.19.1.

Severity

The Loofah maintainers have evaluated this as High Severity 7.5 (CVSS3.1).

References

Credit

This vulnerability was responsibly reported by @ooooooo-q (https://github.com/ooooooo-q).

Affected versions: ["2.7.0", "2.6.0", "2.5.0", "2.4.0", "2.3.1", "2.3.0", "2.2.3", "2.2.2", "2.2.1", "2.2.0", "2.1.1", "2.1.0", "2.1.0.rc2", "2.1.0.rc1", "2.0.3", "2.0.2", "2.0.1", "2.0.0", "1.2.1", "1.2.0", "1.1.0", "1.0.0", "1.0.0.beta.1", "0.4.7", "0.4.6", "0.4.5", "0.4.4", "0.4.3", "0.4.2", "0.4.1", "0.4.0", "0.3.1", "0.3.0", "0.2.2", "0.2.1", "0.2.0", "2.8.0", "2.9.0", "2.9.1", "2.10.0", "2.11.0", "2.12.0", "2.13.0", "2.14.0", "2.15.0", "2.16.0", "2.17.0", "2.18.0", "2.19.0"]

Secure versions: [2.19.1, 2.21.0.rc1, 2.20.0, 2.21.1, 2.21.0, 2.21.2, 2.21.3, 2.21.4, 2.22.0, 2.23.0, 2.23.1, 2.24.0]

Recommendation: Update to version 2.24.0.

Loofah Allows Cross-site Scripting

Published date: 2019-11-05T23:58:25Z

CVE: CVE-2019-15587

Links:

In the Loofah gem for Ruby through v2.3.0, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.

Affected versions: ["2.3.0", "2.2.3", "2.2.2", "2.2.1", "2.2.0", "2.1.1", "2.1.0", "2.1.0.rc2", "2.1.0.rc1", "2.0.3", "2.0.2", "2.0.1", "2.0.0", "1.2.1", "1.2.0", "1.1.0", "1.0.0", "1.0.0.beta.1", "0.4.7", "0.4.6", "0.4.5", "0.4.4", "0.4.3", "0.4.2", "0.4.1", "0.4.0", "0.3.1", "0.3.0", "0.2.2", "0.2.1", "0.2.0"]

Secure versions: [2.19.1, 2.21.0.rc1, 2.20.0, 2.21.1, 2.21.0, 2.21.2, 2.21.3, 2.21.4, 2.22.0, 2.23.0, 2.23.1, 2.24.0]

Recommendation: Update to version 2.24.0.

Loofah Cross-site Scripting vulnerability

Published date: 2018-11-01T14:46:01Z

CVE: CVE-2018-16468

Links:

In the Loofah gem for Ruby, through version 2.2.2, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished. Users are advised to upgrade to version 2.2.3.

See https://github.com/flavorjones/loofah/issues/154 for more details.

Affected versions: ["2.2.2", "2.2.1", "2.2.0", "2.1.1", "2.1.0", "2.1.0.rc2", "2.1.0.rc1", "2.0.3", "2.0.2", "2.0.1", "2.0.0", "1.2.1", "1.2.0", "1.1.0", "1.0.0", "1.0.0.beta.1", "0.4.7", "0.4.6", "0.4.5", "0.4.4", "0.4.3", "0.4.2", "0.4.1", "0.4.0", "0.3.1", "0.3.0", "0.2.2", "0.2.1", "0.2.0"]

Secure versions: [2.19.1, 2.21.0.rc1, 2.20.0, 2.21.1, 2.21.0, 2.21.2, 2.21.3, 2.21.4, 2.22.0, 2.23.0, 2.23.1, 2.24.0]

Recommendation: Update to version 2.24.0.

Cross-site Scripting in loofah

Published date: 2018-03-21T11:57:11Z

CVE: CVE-2018-8048

Links:

Loofah allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments.

Users are affected if running Loofah < 2.2.1, but only:

when running on MRI or RBX,
in combination with libxml2 >= 2.9.2.

JRuby users are not affected.

Affected versions: ["2.2.0", "2.1.1", "2.1.0", "2.1.0.rc2", "2.1.0.rc1", "2.0.3", "2.0.2", "2.0.1", "2.0.0", "1.2.1", "1.2.0", "1.1.0", "1.0.0", "1.0.0.beta.1", "0.4.7", "0.4.6", "0.4.5", "0.4.4", "0.4.3", "0.4.2", "0.4.1", "0.4.0", "0.3.1", "0.3.0", "0.2.2", "0.2.1", "0.2.0"]

Secure versions: [2.19.1, 2.21.0.rc1, 2.20.0, 2.21.1, 2.21.0, 2.21.2, 2.21.3, 2.21.4, 2.22.0, 2.23.0, 2.23.1, 2.24.0]

Recommendation: Update to version 2.24.0.

Loofah XSS Vulnerability

Published date: 2018-10-30

CVE: 2018-16468

CVSS V3: 6.4

Links:

https://github.com/flavorjones/loofah/issues/154

In the Loofah gem, through v2.2.2, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.

Secure versions: [2.19.1, 2.21.0.rc1, 2.20.0, 2.21.1, 2.21.0, 2.21.2, 2.21.3, 2.21.4, 2.22.0, 2.23.0, 2.23.1, 2.24.0]

Recommendation: Update to version 2.24.0.

Loofah XSS Vulnerability

Published date: 2018-03-16

CVE: 2018-8048

CVSS V3: 6.1

Links:

https://github.com/flavorjones/loofah/issues/144

Loofah allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments.

Secure versions: [2.19.1, 2.21.0.rc1, 2.20.0, 2.21.1, 2.21.0, 2.21.2, 2.21.3, 2.21.4, 2.22.0, 2.23.0, 2.23.1, 2.24.0]

Recommendation: Update to version 2.24.0.

Loofah XSS Vulnerability

Published date: 2019-10-22

CVE: 2019-15587

CVSS V3: 6.4

Links:

https://github.com/flavorjones/loofah/issues/171

In the Loofah gem, through v2.3.0, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.

Secure versions: [2.19.1, 2.21.0.rc1, 2.20.0, 2.21.1, 2.21.0, 2.21.2, 2.21.3, 2.21.4, 2.22.0, 2.23.0, 2.23.1, 2.24.0]

Recommendation: Update to version 2.24.0.

Inefficient Regular Expression Complexity in Loofah

Published date: 2022-12-13

CVE: 2022-23514

CVSS V3: 7.5

Links:

https://github.com/flavorjones/loofah/security/advisories/GHSA-486f-hjj9-9vhh

Summary

Mitigation

Upgrade to Loofah >= 2.19.1.

Secure versions: [2.19.1, 2.21.0.rc1, 2.20.0, 2.21.1, 2.21.0, 2.21.2, 2.21.3, 2.21.4, 2.22.0, 2.23.0, 2.23.1, 2.24.0]

Recommendation: Update to version 2.24.0.

Improper neutralization of data URIs may allow XSS in Loofah

Published date: 2022-12-13

CVE: 2022-23515

CVSS V3: 6.1

Links:

https://github.com/flavorjones/loofah/security/advisories/GHSA-228g-948r-83gx

Summary

Loofah >= 2.1.0, < 2.19.1 is vulnerable to cross-site scripting via the image/svg+xml media type in data URIs.

Mitigation

Upgrade to Loofah >= 2.19.1.

Secure versions: [2.19.1, 2.21.0.rc1, 2.20.0, 2.21.1, 2.21.0, 2.21.2, 2.21.3, 2.21.4, 2.22.0, 2.23.0, 2.23.1, 2.24.0]

Recommendation: Update to version 2.24.0.

61 Other Versions

Version	License	Security	Released
2.24.0	MIT		2025-01-01 - 03:05	4 months
2.23.1	MIT		2024-10-25 - 12:43	7 months
2.23.0	MIT		2024-10-24 - 12:59	7 months
2.22.0	MIT		2023-11-13 - 21:41	over 1 year
2.21.4	MIT		2023-10-10 - 17:55	over 1 year
2.21.3	MIT		2023-05-15 - 21:10	almost 2 years
2.21.2	MIT		2023-05-11 - 15:39	almost 2 years
2.21.1	MIT		2023-05-10 - 14:39	almost 2 years
2.21.0	MIT		2023-05-10 - 13:50	almost 2 years
2.21.0.rc1	MIT		2023-04-03 - 02:21	about 2 years
2.20.0	MIT		2023-04-01 - 17:07	about 2 years
2.19.1	MIT		2022-12-13 - 13:22	over 2 years
2.19.0	MIT	6	2022-09-14 - 13:38	over 2 years
2.18.0	MIT	6	2022-05-11 - 18:42	almost 3 years
2.17.0	MIT	6	2022-04-28 - 13:35	about 3 years
2.16.0	MIT	6	2022-04-01 - 18:27	about 3 years
2.15.0	MIT	6	2022-03-14 - 17:09	about 3 years
2.14.0	MIT	6	2022-02-11 - 19:10	about 3 years
2.13.0	MIT	6	2021-12-10 - 05:21	over 3 years
2.12.0	MIT	6	2021-08-11 - 17:30	over 3 years
2.11.0	MIT	6	2021-07-31 - 21:31	almost 4 years
2.10.0	MIT	6	2021-06-06 - 17:01	almost 4 years
2.9.1	MIT	6	2021-04-07 - 15:23	about 4 years
2.9.0	MIT	6	2021-01-14 - 21:36	over 4 years
2.8.0	MIT	6	2020-11-25 - 21:16	over 4 years
2.7.0	MIT	6	2020-08-26 - 19:33	over 4 years
2.6.0	MIT	6	2020-06-16 - 21:22	almost 5 years
2.5.0	MIT	6	2020-04-05 - 20:51	about 5 years
2.4.0	MIT	6	2019-11-25 - 18:45	over 5 years
2.3.1	MIT	6	2019-10-22 - 13:14	over 5 years
2.3.0	MIT	8	2019-09-28 - 17:37	over 5 years
2.2.3	MIT	8	2018-10-30 - 13:01	over 6 years
2.2.2	MIT	10	2018-03-22 - 15:10	about 7 years
2.2.1	MIT	10	2018-03-19 - 20:32	about 7 years
2.2.0	MIT	12	2018-02-11 - 22:23	about 7 years
2.1.1	MIT	10	2017-09-25 - 01:11	over 7 years
2.1.0	MIT	10	2017-09-24 - 20:48	over 7 years
2.1.0.rc2	MIT	8	2016-01-11 - 18:31	over 9 years
2.1.0.rc1	MIT	8	2015-08-17 - 23:21	over 9 years
2.0.3	MIT	8	2015-08-17 - 18:13	over 9 years
2.0.2	MIT	8	2015-05-05 - 19:59	about 10 years
2.0.1	MIT	8	2014-08-21 - 21:28	over 10 years
2.0.0	MIT	8	2014-05-09 - 22:51	almost 11 years
1.2.1	UNKNOWN	8	2012-04-14 - 19:08	about 13 years
1.2.0	UNKNOWN	8	2011-08-08 - 16:54	almost 14 years
1.1.0	UNKNOWN	8	2011-08-08 - 05:30	almost 14 years
1.0.0	UNKNOWN	8	2010-10-26 - 04:52	over 14 years
1.0.0.beta.1	UNKNOWN	8	2010-07-21 - 06:56	almost 15 years
0.4.7	UNKNOWN	8	2010-03-09 - 20:47	about 15 years
0.4.6	UNKNOWN	8	2010-02-02 - 14:54	over 15 years
0.4.5	UNKNOWN	9	2010-02-02 - 12:27	over 15 years
0.4.4	UNKNOWN	9	2010-02-01 - 21:59	over 15 years
0.4.3	UNKNOWN	9	2010-01-31 - 20:18	over 15 years
0.4.2	UNKNOWN	9	2010-01-24 - 03:54	over 15 years
0.4.1	UNKNOWN	9	2009-11-23 - 12:17	over 15 years
0.4.0	UNKNOWN	9	2009-11-22 - 03:59	over 15 years
0.3.1	UNKNOWN	9	2009-10-13 - 06:15	over 15 years
0.3.0	UNKNOWN	9	2009-10-07 - 10:38	over 15 years
0.2.2	UNKNOWN	9	2009-09-24 - 22:14	over 15 years
0.2.1	UNKNOWN	9	2009-08-20 - 05:39	over 15 years
0.2.0	UNKNOWN	9	2009-08-18 - 05:20	over 15 years