A flaw was found in the Loofah gem for Ruby, through v2.2.2. An XSS due to an unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished. References: https://github.com/flavorjones/loofah/issues/154 Upstream Patch: https://github.com/flavorjones/loofah/commit/be0fd3ac0fad452730f10e318fa31706257fd081
Created rubygem-loofah tracking bugs for this issue: Affects: fedora-all [bug 1646716]
Red Hat CloudForms 5.10 and 5.11 is no more affected since gem is updated in cfme-gemset. cloudforms_managementengine:5.10/cfme-gemset-0:5.10.15.1-1.el7cf:rubygem:loofah-2.2.3 cloudforms_managementengine:5.10/cfme-amazon-smartstate-0:5.10.15.1-1.el7cf:rubygem:loofah-2.2.3 cloudforms_managementengine:5.11/cfme-amazon-smartstate-0:5.11.4.2-1.el8cf:rubygem:loofah-2.2.3
Statement: Red Hat Satellite 6 does not allow displaying user-defined SVGs and is thus not affected by this CVE.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2018-16468