{"containers": {"cna": {"affected": [{"product": "rails-html-sanitizer", "vendor": "Rails", "versions": [{"status": "affected", "version": "<= 1.0.3"}]}], "datePublic": "2018-03-30T00:00:00", "descriptions": [{"lang": "en", "value": "There is a possible XSS vulnerability in all rails-html-sanitizer gem versions below 1.0.4 for Ruby. The gem allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments, and these attributes can lead to an XSS attack on target applications. This issue is similar to CVE-2018-8048 in Loofah. All users running an affected release should either upgrade or use one of the workarounds immediately."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2018-03-30T18:57:01", "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/rails/rails-html-sanitizer/commit/f3ba1a839a35f2ba7f941c15e239a1cb379d56ae"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "support@hackerone.com", "ID": "CVE-2018-3741", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "rails-html-sanitizer", "version": {"version_data": [{"version_value": "<= 1.0.3"}]}}]}, "vendor_name": "Rails"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "There is a possible XSS vulnerability in all rails-html-sanitizer gem versions below 1.0.4 for Ruby. The gem allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments, and these attributes can lead to an XSS attack on target applications. This issue is similar to CVE-2018-8048 in Loofah. All users running an affected release should either upgrade or use one of the workarounds immediately."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)"}]}]}, "references": {"reference_data": [{"name": "https://github.com/rails/rails-html-sanitizer/commit/f3ba1a839a35f2ba7f941c15e239a1cb379d56ae", "refsource": "CONFIRM", "url": "https://github.com/rails/rails-html-sanitizer/commit/f3ba1a839a35f2ba7f941c15e239a1cb379d56ae"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T04:50:30.644Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/rails/rails-html-sanitizer/commit/f3ba1a839a35f2ba7f941c15e239a1cb379d56ae"}]}]}, "cveMetadata": {"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "assignerShortName": "hackerone", "cveId": "CVE-2018-3741", "datePublished": "2018-03-30T19:00:00", "dateReserved": "2017-12-28T00:00:00", "dateUpdated": "2024-08-05T04:50:30.644Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:rubyonrails:html_sanitizer:*:*:*:*:*:ruby:*:*", "matchCriteriaId": "E221C207-396B-4686-AB55-18000F88663E", "versionEndIncluding": "1.0.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "There is a possible XSS vulnerability in all rails-html-sanitizer gem versions below 1.0.4 for Ruby. The gem allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments, and these attributes can lead to an XSS attack on target applications. This issue is similar to CVE-2018-8048 in Loofah. All users running an affected release should either upgrade or use one of the workarounds immediately."}, {"lang": "es", "value": "Es posible que haya una vulnerabilidad Cross-Site Scripting (XSS) en todas las versiones inferiores a la 1.0.4 de la gema rails-html-sanitizer para Ruby. La gema permite que los atributos que no est\u00e1n en una lista blanca est\u00e9n presentes en las salidas saneadas cuando la entrada incluye fragmentos HTML especialmente manipulados. Estos atributos pueden conducir a un ataque Cross-Site Scripting (XSS) en las aplicaciones objetivo. Este problema es similar a CVE-2018-8048 en Loofah. Todos los usuarios que ejecuten una distribuci\u00f3n afectada deben actualizarla o utilizar una de las alternativas inmediatamente."}], "id": "CVE-2018-3741", "lastModified": "2023-01-30T16:10:42.337", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-03-30T19:29:00.333", "references": [{"source": "support@hackerone.com", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://github.com/rails/rails-html-sanitizer/commit/f3ba1a839a35f2ba7f941c15e239a1cb379d56ae"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "support@hackerone.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2019:0212", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "ansible-runner-0:1.1.2-2.el7ar", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-02-07T00:00:00Z"}, {"advisory": "RHSA-2019:0212", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "ansible-tower-0:3.3.3-1.el7at", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-02-07T00:00:00Z"}, {"advisory": "RHSA-2019:0212", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "bubblewrap-0:0.1.7-1.el7", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-02-07T00:00:00Z"}, {"advisory": "RHSA-2019:0212", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "cfme-0:5.10.0.33-1.el7cf", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-02-07T00:00:00Z"}, {"advisory": "RHSA-2019:0212", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "cfme-amazon-smartstate-0:5.10.0.33-1.el7cf", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-02-07T00:00:00Z"}, {"advisory": "RHSA-2019:0212", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "cfme-appliance-0:5.10.0.33-1.el7cf", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-02-07T00:00:00Z"}, {"advisory": "RHSA-2019:0212", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "cfme-gemset-0:5.10.0.33-1.el7cf", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-02-07T00:00:00Z"}, {"advisory": "RHSA-2019:0212", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "dbus-api-service-0:1.0.1-5.el7cf", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-02-07T00:00:00Z"}, {"advisory": "RHSA-2019:0212", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "dumb-init-0:1.2.0-1.el7cf", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-02-07T00:00:00Z"}, {"advisory": "RHSA-2019:0212", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "erlang-0:19.3.6.7-1.el7at", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-02-07T00:00:00Z"}, {"advisory": "RHSA-2019:0212", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "google-compute-engine-0:2.0.0-2.el7cf", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-02-07T00:00:00Z"}, {"advisory": "RHSA-2019:0212", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "google-config-0:2.0.0-2.el7cf", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-02-07T00:00:00Z"}, {"advisory": "RHSA-2019:0212", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "httpd-configmap-generator-0:0.2.2-2.el7cf", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-02-07T00:00:00Z"}, {"advisory": "RHSA-2019:0212", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "nginx-1:1.10.2-1.el7at", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-02-07T00:00:00Z"}, {"advisory": "RHSA-2019:0212", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "ovirt-ansible-cluster-upgrade-0:1.1.8-1.el7ev", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-02-07T00:00:00Z"}, {"advisory": "RHSA-2019:0212", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "ovirt-ansible-disaster-recovery-0:1.1.2-1.el7ev", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-02-07T00:00:00Z"}, {"advisory": "RHSA-2019:0212", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "ovirt-ansible-engine-setup-0:1.1.5-1.el7ev", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-02-07T00:00:00Z"}, {"advisory": "RHSA-2019:0212", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "ovirt-ansible-image-template-0:1.1.8-1.el7ev", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-02-07T00:00:00Z"}, {"advisory": "RHSA-2019:0212", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "ovirt-ansible-infra-0:1.1.8-1.el7ev", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-02-07T00:00:00Z"}, {"advisory": "RHSA-2019:0212", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "ovirt-ansible-manageiq-0:1.1.12-1.el7ev", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-02-07T00:00:00Z"}, {"advisory": "RHSA-2019:0212", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "ovirt-ansible-repositories-0:1.1.2-1.el7ev", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-02-07T00:00:00Z"}, {"advisory": "RHSA-2019:0212", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "ovirt-ansible-roles-0:1.1.5-1.el7ev", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-02-07T00:00:00Z"}, {"advisory": "RHSA-2019:0212", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "ovirt-ansible-shutdown-env-0:1.0.0-1.el7ev", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-02-07T00:00:00Z"}, {"advisory": "RHSA-2019:0212", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "ovirt-ansible-v2v-conversion-host-0:1.6.3-1.el7ev", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-02-07T00:00:00Z"}, {"advisory": "RHSA-2019:0212", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "ovirt-ansible-vm-infra-0:1.1.10-1.el7ev", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-02-07T00:00:00Z"}, {"advisory": "RHSA-2019:0212", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "postgresql96-0:9.6.10-1PGDG.el7at", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-02-07T00:00:00Z"}, {"advisory": "RHSA-2019:0212", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "prince-0:9.0r2-10.el7cf", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-02-07T00:00:00Z"}, {"advisory": "RHSA-2019:0212", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "pyOpenSSL-0:17.3.0-4.el7ost", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-02-07T00:00:00Z"}, {"advisory": "RHSA-2019:0212", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "python-bambou-0:3.0.1-2.el7cf", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-02-07T00:00:00Z"}, {"advisory": "RHSA-2019:0212", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "python-colorama-0:0.3.7-2.el7ost", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-02-07T00:00:00Z"}, {"advisory": "RHSA-2019:0212", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "python-crypto-0:2.6.1-16.el7at", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-02-07T00:00:00Z"}, {"advisory": "RHSA-2019:0212", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "python-daemon-0:2.1.2-7.el7at", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-02-07T00:00:00Z"}, {"advisory": "RHSA-2019:0212", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "python-funcsigs-0:1.0.2-1.el7ost", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-02-07T00:00:00Z"}, {"advisory": "RHSA-2019:0212", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "python-future-0:0.16.0-1.el7cf", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-02-07T00:00:00Z"}, {"advisory": "RHSA-2019:0212", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "python-lockfile-1:0.11.0-10.el7at", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-02-07T00:00:00Z"}, {"advisory": "RHSA-2019:0212", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "python-meld3-0:0.6.10-1.el7", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-02-07T00:00:00Z"}, {"advisory": "RHSA-2019:0212", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "python-mock-0:2.0.0-1.el7ost", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-02-07T00:00:00Z"}, {"advisory": "RHSA-2019:0212", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "python-pbr-0:3.1.1-2.el7ost", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-02-07T00:00:00Z"}, {"advisory": "RHSA-2019:0212", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "python-pexpect-0:4.6-1.el7at", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-02-07T00:00:00Z"}, {"advisory": "RHSA-2019:0212", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "python-psutil-0:5.4.3-2.el7at", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-02-07T00:00:00Z"}, {"advisory": "RHSA-2019:0212", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "python-ptyprocess-0:0.5.2-3.el7at", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-02-07T00:00:00Z"}, {"advisory": "RHSA-2019:0212", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "python-pylxca-0:2.1.1-2.el7cf", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-02-07T00:00:00Z"}, {"advisory": "RHSA-2019:0212", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "python-pysocks-0:1.5.6-3.el7ost", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-02-07T00:00:00Z"}, {"advisory": "RHSA-2019:0212", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "python-requests-0:2.14.2-1.el7ost", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-02-07T00:00:00Z"}, {"advisory": "RHSA-2019:0212", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "python-requests-toolbelt-0:0.8.0-2.el7cf", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-02-07T00:00:00Z"}, {"advisory": "RHSA-2019:0212", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "python-tabulate-0:0.8.2-1.el7cf", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-02-07T00:00:00Z"}, {"advisory": "RHSA-2019:0212", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "python-urllib3-0:1.21.1-1.2.el7ost", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-02-07T00:00:00Z"}, {"advisory": "RHSA-2019:0212", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "python-vspk-0:5.3.2-2.el7cf", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-02-07T00:00:00Z"}, {"advisory": "RHSA-2019:0212", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "qpid-proton-0:0.19.0-1.el7cf", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-02-07T00:00:00Z"}, {"advisory": "RHSA-2019:0212", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "rabbitmq-server-0:3.7.4-1.el7at", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-02-07T00:00:00Z"}, {"advisory": "RHSA-2019:0212", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "rh-postgresql95-postgresql-pglogical-0:2.1.0-4.el7cf", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-02-07T00:00:00Z"}, {"advisory": "RHSA-2019:0212", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "rh-postgresql95-repmgr-0:4.0.6-2.el7cf", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-02-07T00:00:00Z"}, {"advisory": "RHSA-2019:0212", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "ruby-0:2.4.5-90.el7cf", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-02-07T00:00:00Z"}, {"advisory": "RHSA-2019:0212", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "rubygem-bcrypt-0:3.1.12-1.el7cf", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-02-07T00:00:00Z"}, {"advisory": "RHSA-2019:0212", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "rubygem-ffi-0:1.9.25-1.el7cf", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-02-07T00:00:00Z"}, {"advisory": "RHSA-2019:0212", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "rubygem-hamlit-0:2.8.8-1.el7cf", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-02-07T00:00:00Z"}, {"advisory": "RHSA-2019:0212", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "rubygem-http_parser.rb-0:0.6.0-1.el7cf", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-02-07T00:00:00Z"}, {"advisory": "RHSA-2019:0212", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "rubygem-json-0:2.1.0-1.el7cf", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-02-07T00:00:00Z"}, {"advisory": "RHSA-2019:0212", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "rubygem-linux_block_device-0:0.2.1-1.el7cf", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-02-07T00:00:00Z"}, {"advisory": "RHSA-2019:0212", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "rubygem-memory_buffer-0:0.1.0-2.el7cf", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-02-07T00:00:00Z"}, {"advisory": "RHSA-2019:0212", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "rubygem-nio4r-0:2.3.1-1.el7cf", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-02-07T00:00:00Z"}, {"advisory": "RHSA-2019:0212", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "rubygem-nokogiri-0:1.8.2-1.el7cf", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-02-07T00:00:00Z"}, {"advisory": "RHSA-2019:0212", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "rubygem-ovirt-engine-sdk4-0:4.2.4-1.el7cf", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-02-07T00:00:00Z"}, {"advisory": "RHSA-2019:0212", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "rubygem-pg-0:0.18.4-2.el7cf", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-02-07T00:00:00Z"}, {"advisory": "RHSA-2019:0212", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "rubygem-puma-0:3.7.1-1.el7cf", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-02-07T00:00:00Z"}, {"advisory": "RHSA-2019:0212", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "rubygem-qpid_proton-0:0.22.0-2.el7cf", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-02-07T00:00:00Z"}, {"advisory": "RHSA-2019:0212", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "rubygem-redhat_access_cfme-0:2.0.3-1.el7cf", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-02-07T00:00:00Z"}, {"advisory": "RHSA-2019:0212", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "rubygem-redhat_access_lib-0:1.1.4-2.el7cf", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-02-07T00:00:00Z"}, {"advisory": "RHSA-2019:0212", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "rubygem-rugged-0:0.27.4-1.el7cf", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-02-07T00:00:00Z"}, {"advisory": "RHSA-2019:0212", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "rubygem-sqlite3-0:1.3.13-2.el7cf", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-02-07T00:00:00Z"}, {"advisory": "RHSA-2019:0212", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "rubygem-unf_ext-0:0.0.7.5-1.el7cf", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-02-07T00:00:00Z"}, {"advisory": "RHSA-2019:0212", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "rubygem-websocket-driver-0:0.6.5-1.el7cf", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-02-07T00:00:00Z"}, {"advisory": "RHSA-2019:0212", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "smem-0:1.4-1.el7cf", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-02-07T00:00:00Z"}, {"advisory": "RHSA-2019:0212", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "supervisor-0:3.1.4-1.el7", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-02-07T00:00:00Z"}, {"advisory": "RHSA-2019:0212", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "wmi-0:1.3.14-7.el7cf", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-02-07T00:00:00Z"}, {"advisory": "RHSA-2019:0212", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7", "package": "wxGTK3-0:3.0.3-5.el7at", "product_name": "CloudForms Management Engine 5.10", "release_date": "2019-02-07T00:00:00Z"}], "bugzilla": {"description": "rubygem-rails-html-sanitizer: non-whitelisted attributes are present in sanitized output when input with specially-crafted HTML fragments leading to XSS vulnerability", "id": "1568842", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1568842"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.1", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "status": "verified"}, "cwe": "CWE-79", "details": ["There is a possible XSS vulnerability in all rails-html-sanitizer gem versions below 1.0.4 for Ruby. The gem allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments, and these attributes can lead to an XSS attack on target applications. This issue is similar to CVE-2018-8048 in Loofah. All users running an affected release should either upgrade or use one of the workarounds immediately."], "name": "CVE-2018-3741", "package_state": [{"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Will not fix", "package_name": "rh-ror42-rubygem-rails-html-sanitizer", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Will not fix", "package_name": "rh-ror50-rubygem-rails-html-sanitizer", "product_name": "Red Hat Software Collections"}], "public_date": "2018-03-21T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2018-3741\nhttps://nvd.nist.gov/vuln/detail/CVE-2018-3741"], "statement": "This issue affects the versions of rubygem-rails-html-sanitizer as shipped with Red Hat CloudForms 4. Red Hat Product Security has rated this issue as having a security impact of Moderate. This vulnerability won't be fixed on CloudForms 4, because it uses libxml 2.9.1 and since the vulnerability requires a libxml >= 2.9.2 in order to be exploitable. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/", "threat_severity": "Moderate", "upstream_fix": "rubygem-rails-html-sanitizer 1.0.4"}