{"id":"CVE-2018-8048","details":"In the Loofah gem through 2.2.0 for Ruby, non-whitelisted HTML attributes may occur in sanitized output by republishing a crafted HTML fragment.","aliases":["GHSA-x7rv-cr6v-4vm4"],"modified":"2026-03-15T22:26:37.875939Z","published":"2018-03-27T17:29:00.757Z","related":["SUSE-SU-2019:0394-1","SUSE-SU-2019:2209-1","SUSE-SU-2022:4075-1","openSUSE-SU-2024:11337-1","openSUSE-SU-2024:11340-1","openSUSE-SU-2024:11900-1","openSUSE-SU-2024:11912-1","openSUSE-SU-2024:13162-1","openSUSE-SU-2024:13165-1","openSUSE-SU-2024:14171-1","openSUSE-SU-2024:14174-1","openSUSE-SU-2025:14697-1","openSUSE-SU-2025:15120-1","openSUSE-SU-2026:10353-1","openSUSE-SU-2026:10356-1"],"references":[{"type":"ADVISORY","url":"https://www.debian.org/security/2018/dsa-4171"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2018/03/19/5"},{"type":"ADVISORY","url":"https://github.com/flavorjones/loofah/issues/144"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20191122-0003/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/flavorjones/loofah","events":[{"introduced":"0"},{"fixed":"7541374548ee9be53c463a3172cf4d28356ebe1c"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2.2.1"}]}}],"versions":["v0.2.0","v0.2.1","v0.2.2","v0.3.0","v0.3.1","v0.4.0","v0.4.1","v0.4.2","v0.4.3","v0.4.4","v0.4.5","v0.4.6","v0.4.7","v1.0.0","v1.0.0.beta.1","v1.1.0","v1.2.0","v1.2.1","v2.0.0","v2.0.1","v2.0.2","v2.0.3","v2.1.0","v2.1.0.rc1","v2.1.0.rc2","v2.1.1","v2.2.0"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"9.0"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-8048.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}