-
-
Notifications
You must be signed in to change notification settings - Fork 218
/
CVE-2022-23515.yml
26 lines (23 loc) · 716 Bytes
/
CVE-2022-23515.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
---
gem: loofah
cve: 2022-23515
ghsa: 228g-948r-83gx
url: https://github.com/flavorjones/loofah/security/advisories/GHSA-228g-948r-83gx
title: "Improper neutralization of data URIs may allow XSS in Loofah"
date: 2022-12-13
description: |
## Summary
Loofah `>= 2.1.0, < 2.19.1` is vulnerable to cross-site scripting via the `image/svg+xml` media type in data URIs.
## Mitigation
Upgrade to Loofah `>= 2.19.1`.
cvss_v3: 6.1
unaffected_versions:
- "< 2.1.0"
patched_versions:
- ">= 2.19.1"
related:
url:
- https://cwe.mitre.org/data/definitions/79.html
- https://github.com/w3c/svgwg/issues/266
- https://hackerone.com/reports/1694173
- https://github.com/flavorjones/loofah/issues/101