Miggo Logo

CVE-2018-8048: Cross-site Scripting in loofah

6.1

CVSS Score
3.0

Basic Information

EPSS Score
0.59896%
Published
3/21/2018
Updated
7/5/2023
KEV Status
No
Technology
TechnologyRuby

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
loofahrubygems< 2.2.12.2.1
nokogirirubygems< 1.8.31.8.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from libxml2's handling of certain attributes in HTML serialization (specifically GNOME/libxml2@960f0e2). Loofah's scrubber in vulnerable versions lacked the forced escaping workaround for these attributes. The key vulnerable functions are the attribute scrubbing methods that failed to apply additional escaping for BROKEN_ESCAPING_ATTRIBUTES when using affected libxml2 versions. The Nokogiri package's role was primarily through its dependency on vulnerable libxml2 versions, but the direct vulnerable functions reside in Loofah's sanitization logic.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Loo*** *llows non-w*it*list** *ttri*ut*s to ** pr*s*nt in s*nitiz** output w**n input wit* sp**i*lly-*r**t** *TML *r**m*nts. Us*rs *r* *****t** i* runnin* Loo*** < *.*.*, *ut only: * w**n runnin* on MRI or R*X, * in *om*in*tion wit* li*xml* >= *.*.

Reasoning

T** vuln*r**ility st*ms *rom li*xml*'s **n*lin* o* **rt*in *ttri*ut*s in *TML s*ri*liz*tion (sp**i*i**lly *NOM*/li*xml*@*******). Loo***'s s*ru***r in vuln*r**l* v*rsions l**k** t** *or*** *s**pin* work*roun* *or t**s* *ttri*ut*s. T** k*y vuln*r**l*