CVE-2022-23515: Improper neutralization of data URIs may allow XSS in Loofah
6.1
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.44476%
CWE
Published
12/13/2022
Updated
9/14/2023
KEV Status
No
Technology
Ruby
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
loofah | rubygems | >= 2.1.0, < 2.19.1 | 2.19.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from Loofah's safelist allowing 'image/svg+xml' in data URIs. The commit diff shows this MIME type was explicitly removed from the ALLOWED_URI_DATA_MEDIATYPES array in safelist.rb, and corresponding test cases were updated. The constant's inclusion of SVG MIME type created an XSS vector as SVG content could execute scripts when rendered, bypassing proper neutralization.