Bug 1568842 (CVE-2018-3741) - CVE-2018-3741 rubygem-rails-html-sanitizer: non-whitelisted attributes are present in sanitized output when input with specially-crafted HTML fragments leading to XSS vulnerability
Summary: CVE-2018-3741 rubygem-rails-html-sanitizer: non-whitelisted attributes are pr...
Status: NEW
Alias: CVE-2018-3741
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1559658 1568845 1569130 1569131 1576590 1576591
Blocks: 1568847
TreeView+ depends on / blocked
Reported: 2018-04-18 10:17 UTC by Adam Mariš
Modified: 2019-09-29 14:37 UTC (History)
21 users (show)

Fixed In Version: rubygem-rails-html-sanitizer 1.0.4
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed:

Attachments (Terms of Use)

Description Adam Mariš 2018-04-18 10:17:48 UTC
There is a possible XSS vulnerability in all rails-html-sanitizer gem versions below 1.0.4 for Ruby. The gem allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments, and these attributes can lead to an XSS attack on target applications. This issue is similar to CVE-2018-8048 in Loofah. All users running an affected release should either upgrade or use one of the workarounds immediately.

Upstream fix:


Comment 1 Adam Mariš 2018-04-18 10:18:19 UTC
Created rubygem-rails-html-sanitizer tracking bugs for this issue:

Affects: fedora-all [bug 1568845]

Comment 7 Richard Maciel Costa 2018-12-18 19:52:00 UTC

This issue affects the versions of rubygem-rails-html-sanitizer as shipped with Red Hat CloudForms 4. Red Hat Product Security has rated this issue as having a security  impact of Moderate. This vulnerability won't be fixed on CloudForms 4, because it uses libxml 2.9.1 and since the vulnerability requires a libxml >= 2.9.2 in order to be exploitable. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/

Note You need to log in before you can comment on or make changes to this bug.