CVE-2020-26870

MEDIUM

DOMPurify < 2.0.17 - Mutation Cross-Site Scripting via MathML Namespace Bypass

Title source: llm

Description

Cure53 DOMPurify before 2.0.17 allows mutation XSS. This occurs because a serialize-parse roundtrip does not necessarily return the original DOM tree, and a namespace can change from HTML to MathML, as demonstrated by nesting of FORM elements.

References (6)

Core 6

Core References

Exploit, Third Party Advisory x_refsource_misc

https://research.securitum.com/mutation-xss-via-mathml-mutation-dompurify-2-0-17-bypass/

Patch, Third Party Advisory x_refsource_misc

https://github.com/cure53/DOMPurify/commit/02724b8eb048dd219d6725b05c3000936f11d62d

View Patch ZIP pw:eip

Patch, Third Party Advisory x_refsource_misc

https://github.com/cure53/DOMPurify/compare/2.0.16...2.0.17

Mailing List, Third Party Advisory mailing-list x_refsource_mlist

https://lists.debian.org/debian-lts-announce/2020/10/msg00029.html

Patch, Vendor Advisory vendor-advisory x_refsource_ms

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-26870

Patch, Third Party Advisory x_refsource_misc

https://www.oracle.com//security-alerts/cpujul2021.html

Scores

CVSS v3 6.1

EPSS 0.0042

EPSS Percentile 61.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (9)

cure53/dompurify < 2.0.17

debian/debian_linux 9.0

microsoft/visual_studio_2017 15.9

microsoft/visual_studio_2019 16.0

microsoft/visual_studio_2019 16.4

microsoft/visual_studio_2019 16.7

microsoft/visual_studio_2019 16.8

npm/dompurify 0 - 2.0.17npm

oracle/application_express < 21.1.0.00.01

Published Oct 07, 2020

Tracked Since Feb 18, 2026