Loofah has improper detection of disallowed URIs via `allowed_uri?`

Summary Loofah::HTML5::Scrub.alloweduri? does not correctly reject javascript: URIs when the scheme is split by HTML entity-encoded control characters such as carriage return, line feed, or tab. Details The alloweduri? method strips literal control characters before decoding HTML entities. Payloa...

GHSA-2J22-PR5W-6GQ8 Loofah has improper detection of disallowed URIs via `allowed_uri?`

Summary Loofah::HTML5::Scrub.alloweduri? does not correctly reject javascript: URIs when the scheme is split by HTML entity-encoded control characters such as carriage return, line feed, or tab. Details The alloweduri? method strips literal control characters before decoding HTML entities. Payloa...

Cross-site Scripting (XSS)

Overview loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri. Affected versions of this package are vulnerable to Cross-site Scripting XSS in the Loofah::HTML5::Scrub.alloweduri? function. An attacker can inject malicious script...

git-lfs: Git LFS permits exfiltration of credentials via crafted HTTP URLs

A flaw was found in the Git LFS git extension. When Git LFS requests credentials from Git for a remote host, it passes portions of the host's URL to the git-credential1 command without checking for embedded line-ending control characters and then sends any credentials it receives back from the Gi...