Cure53 DOMPurify before 2.0.17 allows mutation XSS. This occurs because a serialize-parse roundtrip does not necessarily return the original DOM tree, and a namespace can change from HTML to MathML, as demonstrated by nesting of FORM elements.
References
Link | Resource |
---|---|
https://github.com/cure53/DOMPurify/commit/02724b8eb048dd219d6725b05c3000936f11d62d | Patch Third Party Advisory |
https://github.com/cure53/DOMPurify/compare/2.0.16...2.0.17 | Patch Third Party Advisory |
https://lists.debian.org/debian-lts-announce/2020/10/msg00029.html | Mailing List Third Party Advisory |
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-26870 | Patch Vendor Advisory |
https://research.securitum.com/mutation-xss-via-mathml-mutation-dompurify-2-0-17-bypass/ | Exploit Third Party Advisory |
https://www.oracle.com//security-alerts/cpujul2021.html | Patch Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2020-10-07T15:50:09
Updated: 2021-07-20T22:54:41
Reserved: 2020-10-07T00:00:00
Link: CVE-2020-26870
JSON object: View
NVD Information
Status : Analyzed
Published: 2020-10-07T16:15:18.030
Modified: 2022-04-27T18:49:51.923
Link: CVE-2020-26870
JSON object: View
Redhat Information
No data.
CWE