EIQ-2019-0035#
ID |
EIQ-2019-0035 |
|---|---|
CVE |
|
Description |
DOMPurify could allow XSS through SVG or MATH elements |
Date |
24 Sep 2019 |
Severity |
2 - MEDIUM |
CVSSv3 score |
6.1 |
Status |
✅ 2.6.0 |
Assessment |
DOMPurify versions 2.0.6 and earlier could allow cross-site scripting (XSS) by exploiting mutation cross-site scripting (mXSS) of the innerHTML element for an SVG or MATH element. A signed-in user with admin access rights may be able to inject potentially malicious HTML through an SVG or MATH element. The only possible scenario where this vulnerability could be exploited in the platform might occur when a malicious extension send malicious HTML through the transport_access_details field. Standard platform extensions must pass review and QA, and they are built in-house. A malicious extension would not pass validation, and it would be rejected. |
Mitigation |
To mitigate this vulnerability, upgrade DOMPurify to version 2.0.7 or later. |
Affected versions |
2.5.0 and earlier. |
Notes |
- |