loofah 2.1.0
Inefficient Regular Expression Complexity in Loofah
high severity CVE-2022-23514>= 2.19.1
Summary
Loofah < 2.19.1
contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption.
Mitigation
Upgrade to Loofah >= 2.19.1
.
Improper neutralization of data URIs may allow XSS in Loofah
medium severity CVE-2022-23515>= 2.19.1
< 2.1.0
Summary
Loofah >= 2.1.0, < 2.19.1
is vulnerable to cross-site scripting via the image/svg+xml
media type in data URIs.
Mitigation
Upgrade to Loofah >= 2.19.1
.
Loofah XSS Vulnerability
medium severity CVE-2019-15587>= 2.3.1
In the Loofah gem, through v2.3.0, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.
Loofah XSS Vulnerability
medium severity CVE-2018-8048>= 2.2.1
Loofah allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments.
Loofah XSS Vulnerability
medium severity CVE-2018-16468>= 2.2.3
In the Loofah gem, through v2.2.2, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.
No officially reported memory leakage issues detected.
This gem version does not have any officially reported memory leaked issues.
No license issues detected.
This gem version has a license in the gemspec.
This gem version is available.
This gem version has not been yanked and is still available for usage.