-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stems from Loofah's safelist allowing 'image/svg+xml' in data URIs. The commit diff shows this MIME type was explicitly removed from the ALLOWED_URI_DATA_MEDIATYPES array in safelist.rb, and corresponding test cases were updated. The constant's inclusion of SVG MIME type created an XSS vector as SVG content could execute scripts when rendered, bypassing proper neutralization.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| loofah | rubygems | >= 2.1.0, < 2.19.1 | 2.19.1 |