Miggo Logo

CVE-2022-23515: Improper neutralization of data URIs may allow XSS in Loofah

6.1

CVSS Score
3.1

Basic Information

EPSS Score
0.44476%
Published
12/13/2022
Updated
9/14/2023
KEV Status
No
Technology
TechnologyRuby

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
loofahrubygems>= 2.1.0, < 2.19.12.19.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from Loofah's safelist allowing 'image/svg+xml' in data URIs. The commit diff shows this MIME type was explicitly removed from the ALLOWED_URI_DATA_MEDIATYPES array in safelist.rb, and corresponding test cases were updated. The constant's inclusion of SVG MIME type created an XSS vector as SVG content could execute scripts when rendered, bypassing proper neutralization.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

## Summ*ry Loo*** `>= *.*.*, < *.**.*` is vuln*r**l* to *ross-sit* s*riptin* vi* t** `im***/sv*+xml` m**i* typ* in **t* URIs. ## Miti**tion Up*r*** to Loo*** `>= *.**.*`. ## S*v*rity T** Loo*** m*int*in*rs **v* *v*lu*t** t*is *s [M**ium S*v*ri

Reasoning

T** vuln*r**ility st*ms *rom Loo***'s s***list *llowin* 'im***/sv*+xml' in **t* URIs. T** *ommit *i** s*ows t*is MIM* typ* w*s *xpli*itly r*mov** *rom t** *LLOW**_URI_**T*_M**I*TYP*S *rr*y in s***list.r*, *n* *orr*spon*in* t*st **s*s w*r* up**t**. T*