CVE-2022-23515
cross-site scripting vulnerability in loofah (RubyGems)
What is CVE-2022-23515 About?
Loofah versions `≥ 2.1.0, < 2.19.1` are vulnerable to cross-site scripting (XSS) via the `image/svg+xml` media type in data URIs. This flaw allows an attacker to inject and execute arbitrary scripts in a victim's browser. Exploitation typically involves tricking a user into viewing malicious content sanitized by Loofah.
Affected Software
Technical Details
The vulnerability in Loofah arises from insufficient sanitization of content that uses the image/svg+xml media type within data URIs. When Loofah attempts to sanitize HTML content, it fails to properly neutralize malicious script embedded within SVG images loaded via data URIs. An attacker can craft a data URI containing an image/svg+xml payload with embedded JavaScript. If this unsafely sanitized content is then rendered in a user's browser, the malicious script will execute in the context of the vulnerable website, leading to a Cross-Site Scripting attack (CWE-79).
What is the Impact of CVE-2022-23515?
Successful exploitation may allow attackers to execute arbitrary client-side scripts in a victim's browser, potentially leading to session hijacking, data theft, or website defacement.
What is the Exploitability of CVE-2022-23515?
Exploitation requires an attacker to deliver malicious content (typically HTML containing a crafted data URI with SVG and embedded script) to a user, and have that content passed through the vulnerable Loofah sanitization process before being rendered in a browser. The attack is remote but requires user interaction (e.g., clicking a link or viewing a malicious page). No authentication is typically required for the initial payload delivery. The complexity is moderate, as it requires knowledge of SVG and data URI encapsulation to bypass sanitization. The likelihood of exploitation increases in applications that accept and display user-generated content that is passed through Loofah's sanitization without proper post-processing security checks.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-23515?
Available Upgrade Options
- loofah
- >=2.1.0, <2.19.1 → Upgrade to 2.19.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2022-23515
- https://lists.debian.org/debian-lts-announce/2024/09/msg00044.html
- https://hackerone.com/reports/1694173
- https://osv.dev/vulnerability/GHSA-228g-948r-83gx
- https://hackerone.com/reports/1694173
- https://github.com/flavorjones/loofah
- https://lists.debian.org/debian-lts-announce/2023/09/msg00011.html
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/loofah/CVE-2022-23515.yml
- https://github.com/flavorjones/loofah/security/advisories/GHSA-228g-948r-83gx
- https://lists.debian.org/debian-lts-announce/2023/09/msg00011.html
What are Similar Vulnerabilities to CVE-2022-23515?
Similar Vulnerabilities: CVE-2021-23358 , CVE-2020-7798 , CVE-2019-15880 , CVE-2018-1000539 , CVE-2017-0870
