loofah 0.3.1
Inefficient Regular Expression Complexity in Loofah
high severity CVE-2022-23514>= 2.19.1
Summary
Loofah < 2.19.1 contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption.
Mitigation
Upgrade to Loofah >= 2.19.1.
Loofah HTML and XSS injection vulnerability
medium severity OSVDB-90945>= 0.4.6
Loofah Gem for Ruby contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the Loofah::HTML::Document#text function passes properly sanitized user-supplied input to the Loofah::XssFoliate and Loofah::Helpers#strip_tags functions which convert input back to text. This may allow an attacker to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
Loofah XSS Vulnerability
medium severity CVE-2019-15587>= 2.3.1
In the Loofah gem, through v2.3.0, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.
Loofah XSS Vulnerability
medium severity CVE-2018-8048>= 2.2.1
Loofah allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments.
Loofah XSS Vulnerability
medium severity CVE-2018-16468>= 2.2.3
In the Loofah gem, through v2.2.2, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.
No officially reported memory leakage issues detected.
This gem version does not have any officially reported memory leaked issues.
Gem version without a license.
Unless a license that specifies otherwise is included, nobody can use, copy, distribute, or modify this library without being at risk of take-downs, shake-downs, or litigation.
This gem version is available.
This gem version has not been yanked and is still available for usage.