EIQ-2020-0013


ID

EIQ-2020-0013

CVE

CVE-2020-26870

Description

DOMPurify could allow XSS through SVG, MATH, or FORM elements

Date

11 Nov 2019

Severity

2 - MEDIUM

CVSSv3 score

6.5

Status

images/s/-u524h5/8501/61630d2d4f75946459caa0b3dbdac9bd6d7a7de4/_/images/icons/emoticons/check.svg 2.9.0

Assessment

DOMPurify versions 2.1.16 and earlier could allow cross-site scripting (XSS) by exploiting mutation cross-site scripting (mXSS) of the innerHTML element for an SVG, MATH, or FORM element.
A signed-in user with admin access rights may be able to inject potentially malicious HTML through an SVG, MATH, or FORM element.

This blog post describes a PoC to exploit the vulnerability through the FORM element.

The only possible scenario where this vulnerability could be exploited in the platform might occur when a malicious extension sends malicious HTML through the transport_access_details field.
Platform extensions meant for production must pass internal review and QA.
A malicious extension would not pass validation, and it would be rejected.

Mitigation

To mitigate this vulnerability:

Affected versions

2.4.0 to 2.8.0 included.

Notes

For more information, see:

images/s/-u524h5/8501/61630d2d4f75946459caa0b3dbdac9bd6d7a7de4/_/images/icons/emoticons/information.svg    This section is not visible to users accessing the public docs, it's for internal reference   images/s/-u524h5/8501/61630d2d4f75946459caa0b3dbdac9bd6d7a7de4/_/images/icons/emoticons/information.svg

See also:

< Back to all security issues and mitigation actions

In release notes 2.9.0