There is a possible XSS vulnerability in all rails-html-sanitizer gem versions below 1.0.4 for Ruby. The gem allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments, and these attributes can lead to an XSS attack on target applications. This issue is similar to CVE-2018-8048 in Loofah. All users running an affected release should either upgrade or use one of the workarounds immediately.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: hackerone

Published: 2018-03-30T19:00:00

Updated: 2024-08-05T04:50:30.644Z

Reserved: 2017-12-28T00:00:00

Link: CVE-2018-3741

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2018-03-30T19:29:00.333

Modified: 2024-11-21T04:05:59.343

Link: CVE-2018-3741

cve-icon Redhat

Severity : Moderate

Publid Date: 2018-03-21T00:00:00Z

Links: CVE-2018-3741 - Bugzilla