EIQ-2019-0035


ID

EIQ-2019-0035

CVE

CVE-2019-16278

Description

DOMPurify could allow XSS through SVG or MATH elements

Date

24 Sep 2019

Severity

2 - MEDIUM

CVSSv3 score

6.1

Status

images/s/-u524h5/8501/61630d2d4f75946459caa0b3dbdac9bd6d7a7de4/_/images/icons/emoticons/check.svg 2.6.0

Assessment

DOMPurify versions 2.0.6 and earlier could allow cross-site scripting (XSS) by exploiting mutation cross-site scripting (mXSS) of the innerHTML element for an SVG or MATH element.
A signed-in user with admin access rights may be able to inject potentially malicious HTML through an SVG or MATH element.

The only possible scenario where this vulnerability could be exploited in the platform might occur when a malicious extension send malicious HTML through the transport_access_details field.
Standard platform extensions must pass review and QA, and they are built in-house. A malicious extension would not pass validation, and it would be rejected.

Mitigation

To mitigate this vulnerability, upgrade DOMPurify to version 2.0.7 or later.

Affected versions

2.5.0 and earlier.

Notes

-

< Back to all security issues and mitigation actions

In release notes 2.5.0

In release notes 2.6.0