CVE-2018-8048: Cross-site Scripting in loofah
6.1
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.59896%
CWE
Published
3/21/2018
Updated
7/5/2023
KEV Status
No
Technology
Ruby
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
loofah | rubygems | < 2.2.1 | 2.2.1 |
nokogiri | rubygems | < 1.8.3 | 1.8.3 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from libxml2's handling of certain attributes in HTML serialization (specifically GNOME/libxml2@960f0e2). Loofah's scrubber in vulnerable versions lacked the forced escaping workaround for these attributes. The key vulnerable functions are the attribute scrubbing methods that failed to apply additional escaping for BROKEN_ESCAPING_ATTRIBUTES when using affected libxml2 versions. The Nokogiri package's role was primarily through its dependency on vulnerable libxml2 versions, but the direct vulnerable functions reside in Loofah's sanitization logic.