Loofah allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments. Affected versions: Loofah < 2.2.1, but only: * when running on MRI or RBX, * in combination with libxml2 >= 2.9.2. Upstream bug: https://github.com/flavorjones/loofah/issues/144 Upstream patch: https://github.com/flavorjones/loofah/commit/f739cf8eac5851f328b8044281d6653f74eff116 Reference: http://seclists.org/oss-sec/2018/q1/253
Created rubygem-loofah tracking bugs for this issue: Affects: fedora-all [bug 1559072]
Statement: This issue affects the versions of rubygem-loofah as shipped with Red Hat CloudForms 4. Red Hat Product Security has rated this issue as having a security impact of Moderate. This vulnerability won't be fixed on CloudForms 4, because it uses libxml 2.9.1 and since the vulnerability requires a libxml >= 2.9.2 in order to be exploitable. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/