ESB-2018.3440 - [Win][UNIX/Linux][BSD][Debian][FreeBSD] Loofah: Cross-site scripting - Existing account 2018-11-02

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.3440
             A vulnerability has been identified in Loofah gem
                              2 November 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Loofah
Publisher:         FreeBSD
Operating System:  FreeBSD
                   Windows
                   UNIX variants (UNIX, Linux, OSX)
                   BSD variants
                   Debian GNU/Linux
Impact/Access:     Cross-site Scripting -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-16468  

Original Bulletin: 
   http://www.vuxml.org/freebsd/36a2a89e-7ee1-4ea4-ae22-7ca38019c8d0.html

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than FreeBSD. It is recommended that administrators
         running Loofah check for an updated version of the software for 
         their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

Loofah -- XSS vulnerability

Affected packages

rubygem-loofah < 2.2.3

Details

VuXML ID 36a2a89e-7ee1-4ea4-ae22-7ca38019c8d0

Discovery 2018-10-30

Entry 2018-11-01

GitHub issue:

This issue has been created for public disclosure of an XSS vulnerability that
was responsibly reported (independently) by Shubham Pathak and @yasinS (Yasin
Soliman).

In the Loofah gem, through v2.2.2, unsanitized JavaScript may occur in 
sanitized output when a crafted SVG element is republished.

References

CVE Name CVE-2018-16468

URL https://github.com/flavorjones/loofah/issues/154

URL https://github.com/flavorjones/loofah/releases

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW9vb2maOgq3Tt24GAQgNKBAAo3dtuYkfHDl1tn7svGy+a4l1KEKUhASQ
iprL9PA+/MkJDNLquobkRRq1Sa87nl0FOYgeEZAwVy6UZVuY9MT8KcBgYCIzhKcC
OpLPrygGBV9ijsTjZqLh7vhVj5c3ERUfONNQ8lsTohN2y+pybGM/s9rplIkUBhM7
tAMNgFkg5weEFU00eJrcHMflmk3Q78Vf/XFKD/NATrX/rlYEcYJWcHg4Pm22mwrz
F0jAa18XsmGpL+8jbAT7oV1TRcfYLL2y6hLKA5aMisUwBtj93XhnQLvPae8F2PD6
S3AcffNdHBNDR0fUGeW7G+u9zqSVCmGjeLf3bkQ7TslO1CxrLcG92HiBD9HmzCJR
3sQtNdKP+Sv0kZtbZj9ddLQ4Xz7fBFW03FDSnqwLgVl35nKdn5f37QQeEP56eH3u
rDUrSK3hAVzGBRM8I1M4xYLg3sXnZbOJKY7x7Mxoo9xXpQ0cdOEB308g0jh5pAoM
8ya8C/SXGaEkbv6zTloyM+sGnQbzo2hKDhoGRg6LDspSLwYTzuXo3DVraPF58IKX
d39rIRUV3W2wQvJE6XLSuuk+xp60t7sqw4QPdpa8NU+19iEPsZhiqINf+JzmddeZ
6TuWAIxtZFaNPwzz+m2DCkVU8emjJLwEMnHZmz2uWzhYW9L3Yb3DtHafVoWsi1HX
orQGkO/wj2M=
=fWb9
-----END PGP SIGNATURE-----

« Back to bulletins