In the Loofah gem for Ruby through v2.3.0 unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished. Upstream issue: https://github.com/flavorjones/loofah/issues/171 References: https://hackerone.com/reports/709009 https://www.debian.org/security/2019/dsa-4554 https://www.debian.org/security/2019/dsa-4554 https://www.openwall.com/lists/oss-security/2019/10/22/1
Upstream commit: https://github.com/flavorjones/loofah/commit/0c6617af440879ce97440f6eb6c58636456dc8ec
Created rubygem-loofah tracking bugs for this issue: Affects: fedora-all [bug 1805200]
Statement: Supported versions of Satellite 6 contain a vulnerable version of rubygem-loofah. However, it is not possible to inject untrusted SVG files, and thus it is considered that this vulnerability can not be triggered. A future update may fix this vulnerability.