CVE-2022-23515: 
Ruby vulnerability analysis and mitigation

Loofah, a general library for manipulating and transforming HTML/XML documents and fragments built on top of Nokogiri, was found to contain a cross-site scripting vulnerability (CVE-2022-23515). The vulnerability affects versions from 2.1.0 up to (excluding) 2.19.1, where the application is susceptible to cross-site scripting attacks via the image/svg+xml media type in data URIs. This security issue was patched in version 2.19.1 (GitHub Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The issue specifically involves improper neutralization of data URIs containing image/svg+xml media type content, which could lead to cross-site scripting attacks. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (GitHub Advisory).

The vulnerability allows attackers to potentially execute cross-site scripting (XSS) attacks through specially crafted SVG images embedded as data URIs. This could lead to unauthorized access to sensitive browser data and potential manipulation of web content (GitHub Advisory).

Users are advised to upgrade to Loofah version 2.19.1 or later, which contains the fix for this vulnerability. The issue was responsibly reported by Maciej Piechota and has been patched in the latest release (GitHub Advisory, Debian LTS).