loofah 2.2.1
Uncontrolled Recursion in Loofah
high severity CVE-2022-23516>= 2.19.1
< 2.2.0
Summary
Loofah >= 2.2.0, < 2.19.1
uses recursion for sanitizing CDATA
sections, making it susceptible to stack exhaustion and raising a SystemStackError
exception. This may lead to a denial of service through CPU resource consumption.
Mitigation
Upgrade to Loofah >= 2.19.1
.
Users who are unable to upgrade may be able to mitigate this vulnerability by limiting the length of the strings that are sanitized.
Inefficient Regular Expression Complexity in Loofah
high severity CVE-2022-23514>= 2.19.1
Summary
Loofah < 2.19.1
contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption.
Mitigation
Upgrade to Loofah >= 2.19.1
.
Improper neutralization of data URIs may allow XSS in Loofah
medium severity CVE-2022-23515>= 2.19.1
< 2.1.0
Summary
Loofah >= 2.1.0, < 2.19.1
is vulnerable to cross-site scripting via the image/svg+xml
media type in data URIs.
Mitigation
Upgrade to Loofah >= 2.19.1
.
Loofah XSS Vulnerability
medium severity CVE-2019-15587>= 2.3.1
In the Loofah gem, through v2.3.0, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.
Loofah XSS Vulnerability
medium severity CVE-2018-16468>= 2.2.3
In the Loofah gem, through v2.2.2, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.
No officially reported memory leakage issues detected.
This gem version does not have any officially reported memory leaked issues.
No license issues detected.
This gem version has a license in the gemspec.
This gem version is available.
This gem version has not been yanked and is still available for usage.