CVE-2020-26870

moderate-risk
Published 2020-10-07

Cure53 DOMPurify before 2.0.17 allows mutation XSS. This occurs because a serialize-parse roundtrip does not necessarily return the original DOM tree, and a namespace can change from HTML to MathML, as demonstrated by nesting of FORM elements.

Do I need to act?

-
0.42% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
6
CVSS 6.1/10 Medium
NETWORK / LOW complexity

Affected Products (8)

Dompurify

Affected Vendors

Debian Microsoft Oracle Cure53

References (12)

Patch https://github.com/cure53/DOMPurify/commit/02724b8eb048dd219d6725b05c3000936f11d...
Patch https://github.com/cure53/DOMPurify/compare/2.0.16...2.0.17
Mailing List https://lists.debian.org/debian-lts-announce/2020/10/msg00029.html
Patch https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-2687...
Exploit https://research.securitum.com/mutation-xss-via-mathml-mutation-dompurify-2-0-17...
Patch https://www.oracle.com//security-alerts/cpujul2021.html
Patch https://github.com/cure53/DOMPurify/commit/02724b8eb048dd219d6725b05c3000936f11d...
Patch https://github.com/cure53/DOMPurify/compare/2.0.16...2.0.17
Mailing List https://lists.debian.org/debian-lts-announce/2020/10/msg00029.html
Patch https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-2687...
Exploit https://research.securitum.com/mutation-xss-via-mathml-mutation-dompurify-2-0-17...
Patch https://www.oracle.com//security-alerts/cpujul2021.html
39
/ 100
moderate-risk
Severity 23/34 · High
Exploitability 2/34 · Minimal
Exposure 14/34 · Moderate