CVE-2020-26870

CVE Database · CVE-2020-26870

CVE-2020-26870

· MEDIUMModified

CVSS v3.1

6.1

EPSS

4.52%

Published

Oct 7, 2020

Modified

Nov 21, 2024

Public PoC / Exploit (1)

All weaponized →

TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

Cure53 DOMPurify before 2.0.17 allows mutation XSS. This occurs because a serialize-parse roundtrip does not necessarily return the original DOM tree, and a namespace can change from HTML to MathML, as demonstrated by nesting of FORM elements.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Weaknesses (CWE)

CWE-79

Affected Products (8)

cure53 · dompurify (up to 2.0.17)vulnerable

debian · debian_linuxvulnerable

microsoft · visual_studio_2017vulnerable

microsoft · visual_studio_2019vulnerable

oracle · application_express (up to 21.1.0.00.01)vulnerable

References (12)

https://github.com/cure53/DOMPurify/commit/02724b8eb048dd219d6725b05c3000936f11d62d

PatchThird Party Advisory

https://github.com/cure53/DOMPurify/compare/2.0.16...2.0.17

PatchThird Party Advisory

https://lists.debian.org/debian-lts-announce/2020/10/msg00029.html

Mailing ListThird Party Advisory

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-26870

PatchVendor Advisory

https://research.securitum.com/mutation-xss-via-mathml-mutation-dompurify-2-0-17-bypass/

ExploitThird Party Advisory

KEV Catalog EPSS Scores Vendors All CVEs