cnvd - cnvd-2018-07649

cnvd-2018-07649

Vulnerability from cnvd

Title

Ruby Loofah gem跨站脚本漏洞

Description

Ruby Loofah gem是一个用于操作和转换HTML/XML文档的通用库。 Ruby Loofah gem 2.2.0及之前版本中存在跨站脚本漏洞。远程攻击者可通过重新发布特制的HTML片段利用该漏洞使非白名单HTML属性显示在已过滤的输出中。

Severity

中

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://github.com/flavorjones/loofah/issues/144

Reference

https://tools.cisco.com/security/center/viewAlert.x?alertId=57258

Impacted products

Name
Ruby Loofah gem <=2.2.0

Show details on source website

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2018-8048"
    }
  },
  "description": "Ruby Loofah gem\u662f\u4e00\u4e2a\u7528\u4e8e\u64cd\u4f5c\u548c\u8f6c\u6362HTML/XML\u6587\u6863\u7684\u901a\u7528\u5e93\u3002\r\n\r\nRuby Loofah gem 2.2.0\u53ca\u4e4b\u524d\u7248\u672c\u4e2d\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u91cd\u65b0\u53d1\u5e03\u7279\u5236\u7684HTML\u7247\u6bb5\u5229\u7528\u8be5\u6f0f\u6d1e\u4f7f\u975e\u767d\u540d\u5355HTML\u5c5e\u6027\u663e\u793a\u5728\u5df2\u8fc7\u6ee4\u7684\u8f93\u51fa\u4e2d\u3002",
  "discovererName": "Mike Dalessio",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://github.com/flavorjones/loofah/issues/144",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2018-07649",
  "openTime": "2018-04-13",
  "products": {
    "product": "Ruby Loofah gem \u003c=2.2.0"
  },
  "referenceLink": "https://tools.cisco.com/security/center/viewAlert.x?alertId=57258",
  "serverity": "\u4e2d",
  "submitTime": "2018-03-26",
  "title": "Ruby Loofah gem\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e"
}

CVE-2018-8048 (GCVE-0-2018-8048)

Vulnerability from cvelistv5

Published

2018-03-27 17:00

Modified

2024-08-05 06:46

Severity ?

CWE

n/a

Summary

In the Loofah gem through 2.2.0 for Ruby, non-whitelisted HTML attributes may occur in sanitized output by republishing a crafted HTML fragment.

References

URL

Tags

	https://github.com/flavorjones/loofah/issues/144	x_refsource_CONFIRM
	http://www.openwall.com/lists/oss-security/2018/03/19/5	mailing-list, x_refsource_MLIST
	https://www.debian.org/security/2018/dsa-4171	vendor-advisory, x_refsource_DEBIAN
	https://security.netapp.com/advisory/ntap-20191122-0003/	x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T06:46:13.172Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/flavorjones/loofah/issues/144"
          },
          {
            "name": "[oss-security] 20180319 [CVE-2018-8048] Loofah XSS Vulnerability",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2018/03/19/5"
          },
          {
            "name": "DSA-4171",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2018/dsa-4171"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20191122-0003/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2018-03-19T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Loofah gem through 2.2.0 for Ruby, non-whitelisted HTML attributes may occur in sanitized output by republishing a crafted HTML fragment."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-11-22T08:07:07",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/flavorjones/loofah/issues/144"
        },
        {
          "name": "[oss-security] 20180319 [CVE-2018-8048] Loofah XSS Vulnerability",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2018/03/19/5"
        },
        {
          "name": "DSA-4171",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2018/dsa-4171"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20191122-0003/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2018-8048",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In the Loofah gem through 2.2.0 for Ruby, non-whitelisted HTML attributes may occur in sanitized output by republishing a crafted HTML fragment."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/flavorjones/loofah/issues/144",
              "refsource": "CONFIRM",
              "url": "https://github.com/flavorjones/loofah/issues/144"
            },
            {
              "name": "[oss-security] 20180319 [CVE-2018-8048] Loofah XSS Vulnerability",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2018/03/19/5"
            },
            {
              "name": "DSA-4171",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2018/dsa-4171"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20191122-0003/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20191122-0003/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2018-8048",
    "datePublished": "2018-03-27T17:00:00",
    "dateReserved": "2018-03-11T00:00:00",
    "dateUpdated": "2024-08-05T06:46:13.172Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Log in or create an account to share your comment.

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.