CVE-2022-23515

Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri. Loofah >= 2.1.0, < 2.19.1 is vulnerable to cross-site scripting via the image/svg+xml media type in data URIs. This issue is patched in version 2.19.1.

Published: Dec 14, 2022
Updated: Sep 14, 2023
CVE: CVE-2022-23515
GHSA: GHSA-228g-948r-83gx
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.1
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
loofah_project / loofah	2.1.0	2.19.1
loofah	2.1.0	2.19.1
debian / debian_linux	10.0	10.0.x

https://github.com/flavorjones/loofah/commit/415677f3cf7f9254f42f811e784985cd63c7407f
https://github.com/flavorjones/loofah/issues/101
https://github.com/flavorjones/loofah/security/advisories/GHSA-228g-948r-83gx
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/loofah/CVE-2022-23515.yml
https://github.com/w3c/svgwg/issues/266
https://hackerone.com/reports/1694173
https://lists.debian.org/debian-lts-announce/2023/09/msg00011.html

Vulnerability Database

290,206

CVE-2022-23515