PT-2022-7454 · Ruby+6 · Loofah+6

Haqpl

Published

2022-12-13

Updated

2026-03-13

CVE-2022-23518

CVSS v2.0

6.4

Medium

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:N

Name of the Vulnerable Software and Affected Versions rails-html-sanitizer versions 1.0.3 through 1.4.3

Description The issue is related to the sanitization of HTML fragments in Rails applications when used in combination with Loofah. It allows a remote attacker to conduct cross-site scripting attacks via data URIs.

Recommendations Upgrade to rails-html-sanitizer version 1.4.4 or later. As a temporary workaround, consider restricting the use of Loofah version 2.1.0 or later until the issue is resolved.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

ALT-PU-2023-1337

ALT-PU-2023-4269

ALT-PU-2024-7813

ALT-PU-2024-7815

BDU:2024-06513

CVE-2022-23518

DLA-3566-1

DLA-3902-1

GHSA-MCVF-2Q2M-X72M

OPENSUSE-SU-2023_3714-1

OPENSUSE-SU-2024:12769-1

OPENSUSE-SU-2024:14175-1

OPENSUSE-SU-2025:15125-1

OPENSUSE-SU-2026:10361-1

RHSA-2023:2097

RLSA-2023:2097

SUSE-SU-2023:3534-1

SUSE-SU-2023:3714-1

Affected Products

Alt Linux

Astra Linux

Loofah

Red Os

Rocky Linux

Suse

Rails-Html-Sanitizer

PT-2022-7454 · Ruby+6 · Loofah+6

CVE-2022-23518

Weakness Enumeration

Related Identifiers

Affected Products

References · 49