{ "CVE_data_meta" : { "ASSIGNER" : "support@hackerone.com", "ID" : "CVE-2018-3741", "STATE" : "PUBLIC" }, "affects" : { "vendor" : { "vendor_data" : [ { "product" : { "product_data" : [ { "product_name" : "rails-html-sanitizer", "version" : { "version_data" : [ { "version_value" : "<= 1.0.3" } ] } } ] }, "vendor_name" : "Rails" } ] } }, "data_format" : "MITRE", "data_type" : "CVE", "data_version" : "4.0", "description" : { "description_data" : [ { "lang" : "eng", "value" : "There is a possible XSS vulnerability in all rails-html-sanitizer gem versions below 1.0.4 for Ruby. The gem allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments, and these attributes can lead to an XSS attack on target applications. This issue is similar to CVE-2018-8048 in Loofah. All users running an affected release should either upgrade or use one of the workarounds immediately." } ] }, "problemtype" : { "problemtype_data" : [ { "description" : [ { "lang" : "eng", "value" : "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)" } ] } ] }, "references" : { "reference_data" : [ { "name" : "https://github.com/rails/rails-html-sanitizer/commit/f3ba1a839a35f2ba7f941c15e239a1cb379d56ae", "refsource" : "CONFIRM", "url" : "https://github.com/rails/rails-html-sanitizer/commit/f3ba1a839a35f2ba7f941c15e239a1cb379d56ae" } ] } }