CVE-2018-8048

Impact:
Moderate
Public Date:
2018-03-15
CWE:
CWE-79
Bugzilla:
1559071: CVE-2018-8048 rubygem-loofah: XSS vulnerability due to unescaped comments within attributes by libxml2

The MITRE CVE dictionary describes this issue as:

In the Loofah gem through 2.2.0 for Ruby, non-whitelisted HTML attributes may occur in sanitized output by republishing a crafted HTML fragment.

Find out more about CVE-2018-8048 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

This issue affects the versions of rubygem-loofah as shipped with Red Hat CloudForms 4. Red Hat Product Security has rated this issue as having a security impact of Moderate. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/

CVSS v3 metrics

NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.

CVSS3 Base Score 6.1
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Changed
Confidentiality Low
Integrity Impact Low
Availability Impact None

Affected Packages State

Platform Package State
Red Hat Software Collections for Red Hat Enterprise Linux rh-ror50-rubygem-loofah Not affected
Red Hat Software Collections for Red Hat Enterprise Linux rh-ror42-rubygem-loofah Not affected

This page is generated automatically and has not been checked for errors or omissions.

For clarification or corrections please contact Red Hat Product Security.

Last Modified

CVE description copyright © 2017, The MITRE Corporation

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.