Contents

---
gem: loofah
osvdb: 90945
url: http://www.osvdb.org/show/osvdb/90945
title: Loofah HTML and XSS injection vulnerability
date: 2012-09-08

description: |
  Loofah Gem for Ruby contains a flaw that allows a remote cross-site
  scripting (XSS) attack. This flaw exists because the
  Loofah::HTML::Document\#text function passes properly sanitized
  user-supplied input to the Loofah::XssFoliate and
  Loofah::Helpers\#strip_tags functions which convert input back to
  text. This may allow an attacker to create a specially crafted
  request that would execute arbitrary script code in a user's browser
  within the trust relationship between their browser and the server.

cvss_v2: 5.0

patched_versions:
  - ">=  0.4.6"

Version data entries

15 entries across 15 versions & 3 rubygems

Version	Path
bundler-audit-0.7.0.1	data/ruby-advisory-db/gems/loofah/OSVDB-90945.yml
bundler-budit-0.6.2	data/ruby-advisory-db/gems/loofah/OSVDB-90945.yml
bundler-budit-0.6.1	data/ruby-advisory-db/gems/loofah/OSVDB-90945.yml
bundler-audit-0.6.1	data/ruby-advisory-db/gems/loofah/OSVDB-90945.yml
bundler-audit-0.6.0	data/ruby-advisory-db/gems/loofah/OSVDB-90945.yml
bundler-audit-0.5.0	data/ruby-advisory-db/gems/loofah/OSVDB-90945.yml
bundler-audit-0.4.0	data/ruby-advisory-db/gems/loofah/OSVDB-90945.yml
bundler-audit-0.3.1	data/ruby-advisory-db/gems/loofah/OSVDB-90945.yml
mrjoy-bundler-audit-0.3.3	data/ruby-advisory-db/gems/loofah/OSVDB-90945.yml
mrjoy-bundler-audit-0.3.2	data/ruby-advisory-db/gems/loofah/OSVDB-90945.yml
mrjoy-bundler-audit-0.3.1	data/ruby-advisory-db/gems/loofah/OSVDB-90945.yml
bundler-audit-0.3.0	data/ruby-advisory-db/gems/loofah/OSVDB-90945.yml
mrjoy-bundler-audit-0.2.1	data/ruby-advisory-db/gems/loofah/OSVDB-90945.yml
bundler-audit-0.2.0	data/ruby-advisory-db/gems/loofah/OSVDB-90945.yml
mrjoy-bundler-audit-0.1.4	data/ruby-advisory-db/gems/loofah/OSVDB-90945.yml