loofah 0.4.0
Inefficient Regular Expression Complexity in Loofah
high severity CVE-2022-23514>= 2.19.1
Summary
Loofah < 2.19.1 contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption.
Mitigation
Upgrade to Loofah >= 2.19.1.
Loofah HTML and XSS injection vulnerability
medium severity OSVDB-90945>= 0.4.6
Loofah Gem for Ruby contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the Loofah::HTML::Document#text function passes properly sanitized user-supplied input to the Loofah::XssFoliate and Loofah::Helpers#strip_tags functions which convert input back to text. This may allow an attacker to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
Loofah XSS Vulnerability
medium severity CVE-2019-15587>= 2.3.1
In the Loofah gem, through v2.3.0, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.
Loofah XSS Vulnerability
medium severity CVE-2018-8048>= 2.2.1
Loofah allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments.
Loofah XSS Vulnerability
medium severity CVE-2018-16468>= 2.2.3
In the Loofah gem, through v2.2.2, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.
No officially reported memory leakage issues detected.
This gem version does not have any officially reported memory leaked issues.
Author did not declare license for this gem in the gemspec.
This gem version has a MIT license in the source code, however it was not declared in the gemspec file.
This gem version is available.
This gem version has not been yanked and is still available for usage.