In the Loofah gem for Ruby through v2.3.0 unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.
{ "availability": "No subscription required", "ubuntu_priority": "medium", "binaries": [ { "ruby-loofah": "2.0.3-2+deb9u3build0.16.04.1" } ] }
{ "ubuntu_priority": "medium" }
{ "availability": "No subscription required", "ubuntu_priority": "medium", "binaries": [ { "ruby-loofah": "2.3.1+dfsg-1" } ] }