EIQ-2020-0013

ID	EIQ-2020-0013
CVE	CVE-2020-26870
Description	DOMPurify could allow XSS through `SVG`, `MATH`, or `FORM` elements
Date	11 Nov 2019
Severity	2 - MEDIUM
CVSSv3 score	6.5
Status	2.9.0
Assessment	DOMPurify versions 2.1.16 and earlier could allow cross-site scripting (XSS) by exploiting mutation cross-site scripting (mXSS) of the `innerHTML` element for an `SVG`, `MATH`, or `FORM` element. A signed-in user with admin access rights may be able to inject potentially malicious HTML through an `SVG`, `MATH`, or `FORM` element. This blog post describes a PoC to exploit the vulnerability through the `FORM` element. The only possible scenario where this vulnerability could be exploited in the platform might occur when a malicious extension sends malicious HTML through the `transport_access_details` field. Platform extensions meant for production must pass internal review and QA. A malicious extension would not pass validation, and it would be rejected.
Mitigation	To mitigate this vulnerability: Upgrade DOMPurify to version 2.2.2 or later. Do not parse HTML from untrusted sources.
Affected versions	2.4.0 to 2.8.0 included.
Notes	For more information, see: EIQ-2019-0035 CVE-2020-26870 on mitre.org CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) GitHub PR with the fix This section is not visible to users accessing the public docs, it's for internal reference See also: SNYK-JS-DOMPURIFY-1016634 SNYK-JS-DOMPURIFY-1035544 Slack convo in PSIRT channel Slack convo in PSIRT channel

< Back to all security issues and mitigation actions

In release notes 2.9.0