loofah 2.1.0

5 security vulnerabilities found in version 2.1.0

Inefficient Regular Expression Complexity in Loofah

high severity CVE-2022-23514
high severity CVE-2022-23514
Patched versions: >= 2.19.1

Summary

Loofah < 2.19.1 contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption.

Mitigation

Upgrade to Loofah >= 2.19.1.

Improper neutralization of data URIs may allow XSS in Loofah

medium severity CVE-2022-23515
medium severity CVE-2022-23515
Patched versions: >= 2.19.1
Unaffected versions: < 2.1.0

Summary

Loofah >= 2.1.0, < 2.19.1 is vulnerable to cross-site scripting via the image/svg+xml media type in data URIs.

Mitigation

Upgrade to Loofah >= 2.19.1.

Loofah XSS Vulnerability

medium severity CVE-2019-15587
medium severity CVE-2019-15587
Patched versions: >= 2.3.1

In the Loofah gem, through v2.3.0, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.

Loofah XSS Vulnerability

medium severity CVE-2018-8048
medium severity CVE-2018-8048
Patched versions: >= 2.2.1

Loofah allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments.

Loofah XSS Vulnerability

medium severity CVE-2018-16468
medium severity CVE-2018-16468
Patched versions: >= 2.2.3

In the Loofah gem, through v2.2.2, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.

No officially reported memory leakage issues detected.


This gem version does not have any officially reported memory leaked issues.

No license issues detected.


This gem version has a license in the gemspec.

This gem version is available.


This gem version has not been yanked and is still available for usage.