CVE-2020-26870 - OpenCVE

Cure53 DOMPurify before 2.0.17 allows mutation XSS. This occurs because a serialize-parse roundtrip does not necessarily return the original DOM tree, and a namespace can change from HTML to MathML, as demonstrated by nesting of FORM elements.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Oracle	Application Express
Microsoft	Visual Studio 2017 Visual Studio 2019
Cure53	Dompurify
Debian	Debian Linux

Configuration 1 [-]

cpe:2.3:a:cure53:dompurify:*:*:*:*:*:*:*:*

Configuration 2 [-]

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Configuration 3 [-]

OR	cpe:2.3:a:microsoft:visual_studio_2017:15.9:::::::*
	cpe:2.3:a:microsoft:visual_studio_2019:16.0:::::::*
	cpe:2.3:a:microsoft:visual_studio_2019:16.4:::::::*
	cpe:2.3:a:microsoft:visual_studio_2019:16.7:::::::*
	cpe:2.3:a:microsoft:visual_studio_2019:16.8:::::::*

Configuration 4 [-]

cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/cure53/DOMPurify/commit/02724b8eb048dd219d6725b05c3000936f11d62d	Patch Third Party Advisory
https://github.com/cure53/DOMPurify/compare/2.0.16...2.0.17	Patch Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/10/msg00029.html	Mailing List Third Party Advisory
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-26870	Patch Vendor Advisory
https://research.securitum.com/mutation-xss-via-mathml-mutation-dompurify-2-0-17-bypass/	Exploit Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.html	Patch Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2020-10-07T15:50:09

Updated: 2021-07-20T22:54:41

Reserved: 2020-10-07T00:00:00

Link: CVE-2020-26870

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-10-07T16:15:18.030

Modified: 2022-04-27T18:49:51.923

Link: CVE-2020-26870

JSON object: View

Redhat Information

No data.

CWE

CWE-79

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "Cure53 DOMPurify before 2.0.17 allows mutation XSS. This occurs because a serialize-parse roundtrip does not necessarily return the original DOM tree, and a namespace can change from HTML to MathML, as demonstrated by nesting of FORM elements."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-07-20T22:54:41", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://research.securitum.com/mutation-xss-via-mathml-mutation-dompurify-2-0-17-bypass/"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/cure53/DOMPurify/commit/02724b8eb048dd219d6725b05c3000936f11d62d"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/cure53/DOMPurify/compare/2.0.16...2.0.17"}, {"name": "[debian-lts-announce] 20201029 [SECURITY] [DLA 2419-1] dompurify.js security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00029.html"}, {"name": "Visual Studio Remote Code Execution Vulnerability", "tags": ["vendor-advisory", "x_refsource_MS"], "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-26870"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com//security-alerts/cpujul2021.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-26870", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Cure53 DOMPurify before 2.0.17 allows mutation XSS. This occurs because a serialize-parse roundtrip does not necessarily return the original DOM tree, and a namespace can change from HTML to MathML, as demonstrated by nesting of FORM elements."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://research.securitum.com/mutation-xss-via-mathml-mutation-dompurify-2-0-17-bypass/", "refsource": "MISC", "url": "https://research.securitum.com/mutation-xss-via-mathml-mutation-dompurify-2-0-17-bypass/"}, {"name": "https://github.com/cure53/DOMPurify/commit/02724b8eb048dd219d6725b05c3000936f11d62d", "refsource": "MISC", "url": "https://github.com/cure53/DOMPurify/commit/02724b8eb048dd219d6725b05c3000936f11d62d"}, {"name": "https://github.com/cure53/DOMPurify/compare/2.0.16...2.0.17", "refsource": "MISC", "url": "https://github.com/cure53/DOMPurify/compare/2.0.16...2.0.17"}, {"name": "[debian-lts-announce] 20201029 [SECURITY] [DLA 2419-1] dompurify.js security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00029.html"}, {"name": "Visual Studio Remote Code Execution Vulnerability", "refsource": "MS", "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-26870"}, {"name": "https://www.oracle.com//security-alerts/cpujul2021.html", "refsource": "MISC", "url": "https://www.oracle.com//security-alerts/cpujul2021.html"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-26870", "datePublished": "2020-10-07T15:50:09", "dateReserved": "2020-10-07T00:00:00", "dateUpdated": "2021-07-20T22:54:41", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cure53:dompurify:*:*:*:*:*:*:*:*", "matchCriteriaId": "1912C4C9-2CB9-4FE6-99ED-B0D60F553977", "versionEndExcluding": "2.0.17", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:visual_studio_2017:15.9:*:*:*:*:*:*:*", "matchCriteriaId": "6290EF90-AB91-4990-8D44-4F64F49AE133", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:visual_studio_2019:16.0:*:*:*:*:*:*:*", "matchCriteriaId": "3886D126-9ADC-4AAF-8169-70F3DE3A7773", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:visual_studio_2019:16.4:*:*:*:*:*:*:*", "matchCriteriaId": "E904F8BF-C415-43BC-89BD-8AD912BEA82A", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:visual_studio_2019:16.7:*:*:*:*:*:*:*", "matchCriteriaId": "E47AD481-C23D-4610-B9BC-844F7B8F7A28", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:visual_studio_2019:16.8:*:*:*:*:*:*:*", "matchCriteriaId": "BBE9B863-01E5-486C-8B9D-6DC0F78222A7", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:application_express:*:*:*:*:*:*:*:*", "matchCriteriaId": "8F02ECEF-AC7D-4C4C-9A95-890D135F7286", "versionEndExcluding": "21.1.0.00.01", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Cure53 DOMPurify before 2.0.17 allows mutation XSS. This occurs because a serialize-parse roundtrip does not necessarily return the original DOM tree, and a namespace can change from HTML to MathML, as demonstrated by nesting of FORM elements."}, {"lang": "es", "value": "Cure53 DOMPurify versiones anteriores a 2.0.17, permite una mutaci\u00f3n de XSS. Esto ocurre porque un viaje de ida y vuelta de an\u00e1lisis serializado no necesariamente devuelve el \u00e1rbol DOM original, y un espacio de nombres puede cambiar de HTML a MathML, como es demostrado al anidar los elementos FORM"}], "id": "CVE-2020-26870", "lastModified": "2022-04-27T18:49:51.923", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-10-07T16:15:18.030", "references": [{"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/cure53/DOMPurify/commit/02724b8eb048dd219d6725b05c3000936f11d62d"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/cure53/DOMPurify/compare/2.0.16...2.0.17"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00029.html"}, {"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-26870"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://research.securitum.com/mutation-xss-via-mathml-mutation-dompurify-2-0-17-bypass/"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com//security-alerts/cpujul2021.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}