EIQ-2020-0013#

ID	EIQ-2020-0013
CVE	CVE-2020-26870
Description	DOMPurify could allow XSS through SVG, MATH, or FORM elements
Date	11 Nov 2019
Severity	2 - MEDIUM
CVSSv3 score	6.5
Status	✅ 2.9.0
Assessment	DOMPurify versions 2.1.16 and earlier could allow cross-site scripting (XSS) by exploiting mutation cross-site scripting (mXSS) of the innerHTML element for an SVG, MATH, or FORM element. A signed-in user with admin access rights may be able to inject potentially malicious HTML through an SVG, MATH, or FORM element. This blog post describes a PoC to exploit the vulnerability through the FORM element. The only possible scenario where this vulnerability could be exploited in the platform might occur when a malicious extension sends malicious HTML through the transport_access_details field. Platform extensions meant for production must pass internal review and QA. A malicious extension would not pass validation, and it would be rejected.
Mitigation	To mitigate this vulnerability: Upgrade DOMPurify to version 2.2.2 or later. Do not parse HTML from untrusted sources.
Affected versions	2.4.0 to 2.8.0 included.
Notes	For more information, see: EIQ-2019-0035 CVE-2020-26870 on mitre.org CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) GitHub PR with the fix